LOGIN | REGISTER NOW | SUBSCRIBE
 

Black Duck identifies public projects that may be security risks


By David Worthington
Email    print   
November 5, 2009 —  Black Duck Software, a company that sells tools for managing open-source development, has found more than 4,000 instances of public projects containing encryption algorithms strong enough to require a filing with the U.S. Department of Commerce Bureau of Industry and Security (BIS) to export downstream applications.

The company used its Export 5.0 product, which was released on Oct. 21, to analyze its repository of 220,000 open-source projects. Four thousand open-source projects required BIS for approval, and another 4,000 could be considered strong enough for requiring BIS approval depending on how they are used, said Eran Strod, director of product marketing for Black Duck.

Open-source projects are permitted to redistribute encryption algorithms in their source code because they have an exception to the rules, Strod explained. "The National Security Agency and BIS just want to be informed about what is happening in the open-source world."

The U.S. Commerce Department could not be reached comment by press time.

However, that authority does not carry on to downstream developers and organizations that create solutions using open source, Strod said. Those organizations need to obtain a new license to distribute code outside of the United States.

"This is the law, and you have to follow it," Strod said. It is important for developers to be aware of their compliance with encryption export control requirements because they may be "legally on the hook," he added.

The U.S. Commerce Department received oversight authority for encryption export when President Bill Clinton signed Executive Order 13026 in 1996 in response to requests for relaxations in control over U.S exports. Encryption algorithms were previously included on the United States Munitions List, pursuant to the Arms Export Control Act of 1976.

The Commerce Department's BIS prohibits encryption algorithms from being exported to so-called "rogue states." A rogue state is a term applied to a country that the U.S. government considers to be threatening to the world's peace.

Since government oversight of encryption became more relaxed, it has become possible to send algorithms around the world from the U.S., said Rex Black, president of Rex Black Consulting, a security group. There are still other countries that maintain control export regimes, he added, and the U.S law is a "moving target," that has evolved over time.

Changes in how the U.S, government has exercised export controls has created confusion. Black noted that Black Duck is selling software that manages compliance with government requirements, and that it would be in its interest to encourage maximum paranoia about what might be illegal.

However, he added, "It could be that attorneys on [Black Duck's] staff researched it completely."

Black acknowledged that knowing your compliance status is not necessarily a bad idea. "It is good for organizations to be aware of the extent encryption is included in their software, and to know the risks it might pose to them."




Related Search Term(s): Black Duck, open source, security


Share this link: http://sdt.bz/33888
 
Most Read Latest News Blog Resources
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter


Add comment


Name*
Email*  
Country     


  • Comment
Loading




close
NEXT ARTICLE
Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...
 
 
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 

Download Current Issue
FEBRUARY 2012 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?


 
blogs tab
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
02/09/2012 02:16 PM EST

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
02/07/2012 11:57 AM EST

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
02/04/2012 01:57 PM EST

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST

 
Events calendar tab
Cloud Connect
2/13/2012 to 2/16/2012
Santa Clara
TechWeb

SPTechCon: The SharePoint Technology Conf.
2/26/2012 to 2/29/2012
San Francisco
BZ Media

RSA Conf.
2/27/2012 to 3/2/2012
San Francisco
RSA

IBM Pulse Conf.
3/4/2012 to 3/7/2012
Las Vegas
IBM Tivoli

Game Developer Conf.
3/5/2012 to 3/9/2012
San Francisco
TechWeb