On February 16, Version 2.0 of the CWE/SANS Top 25 Most Dangerous Programming Errors was released. The Top 25, developed collaboratively by more than 30 cyber security organizations, are the most widespread and critical errors that lead to serious software security vulnerabilities and attacks.

“Use of a Broken or Risky Cryptographic Algorithm” (CWE-327) made the list, coming in at #24. Many companies unwittingly and unnecessarily expose themselves to this risk, which could result in the disclosure of sensitive information.

To avoid such a risk, the CWE/SANS report authors recommend the following:
• “Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations.”
• “Periodically ensure that you aren’t using obsolete cryptography.”
• “Automated methods may be useful for recognizing commonly-used [cryptography] libraries or features that have become obsolete.”

For those of you familiar with us, one of the key capabilities in Black Duck Export is scanning for and detecting cryptography in code. While one use of Export is ensuring compliance with government export controls surrounding encryption, a key part of this is to detect which crypto is in use. Using our technology, Black Duck conducted a study of its own revealing encryption algorithms widely embedded in open source software.

The CWE/SANS recommendations do work. On multiple occasions we have heard from Black Duck customers who have discovered, to their surprise, that the encryption algorithms they were actually using was much weaker than they intended.

According to the Ponemon Institute’s most recent U.S. Cost of a Data Breach Study, the cost of data breach incidents to U.S. companies is on the rise. The average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008.

Another good reason to make sure you know your code so that your software development teams and your organization can have the peace of mind to focus on your top business objectives.

Apple with the iPhone created a new paradigm for the mobile experience. It combined top notch UI design, touch screen technology, with the app store that leveraged their iPod experience, and combined it all with mobile 3G network capability and GPS. The result was a hit and a meteoric rise in adoption and market share. The iPhone has about 25% share of the 43 million smartphone subscribers in the US, even though it is still offered by only one operator, AT&T. Imagine what iPhone share would be if it were offered by Verizon, T-Mobile and Sprint? (BTW, AT&T recently reported record 2009 results in their wireless business, much of which I’d attribute to the iPhone).

The Android platform is a breakthrough in mobile software platforms, built entirely on open source. It has received a tremendous amount of attention and attracted thousands of developers. It’s important to note that Apple’s iPhone benefitted significantly from OSS integrated with proprietary code (like many software platforms today, we’d characterize it as a “multi-source” platform). Apple ported much of its core FreeBSD-based operating system to the iPhone, uses the Safari browser which is built on OSS, plus incorporated many other OSS elements and libraries (e.g., zlib, libgcc, ncurses, etc.).

In this showdown, the question is: does the introduction of an open-source mobile platform change the mobile app landscape, and are OSS apps a leading indicator of market change? Time will tell but the near term results are promising for Android. It’s gaining market share and winning support from the OSS community (as well as commercial developers). While Android admittedly is still young, the combination of an open platform, attractive UI, and great hardware with support from multiple handset manufacturers and from multiple operators seems to bode well for its future. What do you think?

Collabnet started the company around Subversion, but several years ago acquired Sourceforge Enterprise Edition and turned that into TeamForge, an ALM platform that goes well beyond source code management. Most of the analysts I speak with view Collabnet as a real “up and comer” in the ALM space.

We’re excited to be part of CollabXchange and believe it will be great exposure for Code Sight. The Collabnet site attracts thousands of visitors every day and we think most of them would benefit from the free Edition of Code Sight. It’s a beautiful thing.

But we are also enthusiastic about being associated with Collabnet for other reasons. First, having core open source technology with proprietary products wrapped around it, they “get it” when we talk about multi-source development. Not surprisingly, many of their ideas about modern software development techniques complement ours nicely. For example, they are big on supporting distributed teams and we find that companies doing development across multiple sites most need Black Duck. Also, Collabnet is a pioneer in offering ALM tools as a service. With all the hubbub about the Cloud these days, we expect a number of companies will find this to be the most appropriate way for them to consume development tools. We have SaaS experience with our Transact process, and Collabnet initially built their business on SaaS.

We’re also more than pleased that Collabnet invited Tim Yeaton to give a keynote about agile multi-source development at their first on-line conference “Agile ALM for Distributed Development.” (The on-line conference technology is very cool by the way).  I’m guessing you’ll hear more about Black Duck Collabnet-oration in the future.

Phil tells the tale about a farmer named Raymond and the issues he runs into when given a “truckload of free topsoil.” Those issues are similar to the same problems and burdens that come with free code. “Some of them may be quickly obvious, like big rocks, and others might take a little more time to find, like smaller rocks. The most insidious are the latent ones, lurking like germinating weeds…” To read the full posting click here.

Jim Whitehurst, Red Hat’s CEO, will kick things off with a keynote about the growing opportunities OSS presents for businesses of all sizes – especially in lean times like now and for the near future as the economy stumbles toward recovery.

Immediately following Jim’s keynote, I’m honored to be participating in the keynote panel discussion on The Future of Open Source. Moderated by Michael Skok, General Partner at Northbridge Venture Partners, OSBC planners have assembled a terrific panel of open source leaders, including Larry Augustin (SugarCRM’s CEO and commercial OSS pioneer), Dries Buytaert (CTO and co-founder of Acquia and founder of one of the most dynamic OSS communities in the world – Drupal) and Jim Whitehurst from Red Hat as well. We’ll be engaging in a spirited discussion on open source adoption and where the industry is headed in the coming years. We’ll also be discussing results from the “2010 Future of Open Source” survey. (The survey is still open for you to add your perspective.)

Day two of the conference is also chock full of exciting speakers, panels and break out sessions, including a keynote from Facebook’s David Recordan on scaling Facebook with OSS and the keynote panel – How Open Source Drives a $1.2 Billion Market – featuring Jean Staten Healy from IBM, Director of Cross-IBM Linux Strategy & Marketing.

I’ll be leading a breakout session at 3PM on March 18th called Mixed Fuel for Innovation: Development Trends Blending Open Source with other Code – Who, What, Why and How (in the Strategies for CIO/CTO Track). I’m fortunate to have Addie Welch, VP of Legal Affairs, at Zenoss joining me in this session. We’ll be sharing some real world examples and case studies of innovative companies gaining a competitive advantage with the strategic use of open source software.

I’ll also be participating on a breakout panel hosted by Paula Hunter, the new Executive Director of the CodePlex Foundation, discussing Multi-Source development and interoperability. That session is scheduled for Wednesday March 17th at 11:40AM.

Please come by, listen in, ask questions and say hello!