By now you've probably seen HP's FOSSology announcement. It's an initiative that they say will, "facilitate the study of Free and Open Source Software by providing free data analysis tools". It's a welcome addition to the open source world, and is evidence of the growth of a robust ecosystem of tools and information. Open source is how software is done today.

For year-end 2007, we have compiled the Top 5 Most Overlooked Open Source Vulnerabilities encountered during 2007. We came up with this list after reviewing over 300 million lines of code and spending literally thousands of hours of analysis across a wide range of industries - including technology, financial services and government, among others.

Beginning in 2006, some customers of my previous company started inserting contract provisions requiring us to identify all open source software in use within the networking service we provided. As the VP of Engineering at the time, I told them that I stood behind the total service offering, regardless of which parts were open source, which were commercially licensed, and which were built by us, so they needn't be concerned about this. In each case they agreed and removed the provision. It is now clear to me that they should not have done so. Here's why.

Jeff Jones writes an ongoing security blog for CSO Online. A recent post about scrubbing and verifying data from repositories such as National Vulnerability Database caught our attention.

Last week, our CTO Ray Waldin participated in a webinar with Rob Jenkins from CollabNet and Eddie Correia from SD Times. The topic was "Two Steps to Centralized, Secure, and Auditable Source Code."

As part of the webinar, we conducted an online survey. Here are some of the more interesting results. (We're not for a minute suggesting these are in any way statistically valid):

How do you manage the use of open source in your code base today?

Twice today... Maybe my new year's resolution is working...