Source code management issues are aired

MOUNTAIN VIEW, Calif. — Vendors touting wares for source code management at an industry event Wednesday cited different business strategies for this market. But all made solid points about critical issues such as intellectual property and security.

Appearing at the IBDNetwork’s  Under the Radar event, executives from four companies gave brief presentations to a panel of three venture capitalists, whereupon the vendors were judged by both the panel and the audience. The companies included: Black Duck Software, which focuses on code analysis and intellectual property; Coverity, which addresses code quality and bugs; Fortify Software, which cites security as its forte, and Metallect, which locates interdependencies in software so the applications can be managed as a portfolio.

The event was held at Microsoft offices. In the end Coverity got the audience’s nod as the vendor of choice while Fortify won over the venture capitalists. Each vendor had only five minutes to state its case, followed by a short question-and-answer period.

In making his pitch, Black Duck President and CEO Douglas Levin said software now is being assembled as components, with the Internet serving as a collaboration medium. But this assembly process carries with it risks in areas such as intellectual property obligations, Levin said.

Black Duck offers a subscription service for code analysis based on a knowledge base of 8 million files and 600 licenses, including the SourceForge knowledge base, Levin said. Users of the service are able to track software projects.

“Ultimately, this covers the entire lifecycle of software development.” Levin said. Black Duck also will monitor development done via outsourcing, to make sure that code respects intellectual property obligations, he said. 

“The primary driver of the phenomenon of looking at source code and trying to understand binaries and source code that’s in it is the Internet,” Levin said. “Sarbanes-Oxley is certainly a driver, too.”

Coverity stressed quality in software and how failures in the field can result in recalls or other calamites. “There’s an increasing cost of achieving software quality,” said Seth Hallem, CEO at Coverity.

The company analyzes code for a broad range of security and quality flaws, selling services based on lines of code.

Hallem boasted that unlike other participants in the event, Coverity has not needed any venture capital. “We don’t have any funding. Why? Because we have a product that delivers clear and immediate value,” Hallem said.

Fortify CEO John Jack noted his company’s security focus. “We’re addressing a problem at Fortify that we have found to be globally applicable and that problem is security,” he said. Developers have primarily focused on application features, leaving others to concentrate on security, Jack said. Thusly, applications have not been developed with security in mind.

Fortify addresses software security by looking at the software lifecycle, performing source code analysis, and eyeing security flaws for large-grade commercial applications used in fields such as financial services and telecommunications, said Jack. The company also simulates attacks and traces the IP addresses of persons attacking an application.

“At Fortify, we have a vision and our vision is safe computing for everyone and the way to get to that vision is to look at your software,” Jack said.

Metallect’s software creates a visual map of each application, scanning source code, metadata, unstructured data, and text files. “The job of our software is to read all that and understand how all these applications are interrelating,” said Tom Hite, co-founder and CTO at Metallect.

Locating interdependencies enables software to be managed as a portfolio, according to Metallect. “When I make a change in software, how far-reaching will the effects be?” Hite asked, in explaining Metallect. The company, for example, will gauge the effects of exposing a service in an SOA.

Although Black Duck was the top choice of neither the audience nor the venture capitalists, the company is receiving funding from two of the venture capitalists represented on the panel:  Apollo Strategy Group and Intel Capital. Fortify receives funding from the third venture capital firm represented on the panel, Kleiner Perkins Caufield & Byers.