Ship (A5): SDL Activities and Best Practices 211
multiple products in their January 2013 Critical Patch Update, secu-
rity experts criticized the company for the low number of database
fixes and claimed that the company is downplaying the severity of a
flaw in its flagship relational database. As Oracle expands its prod-
uct portfolio and increases the total number of products patched
through the quarterly CPU, there appears to be a “bottleneck”
in Oracle’s patching process. This CPU was the first time Oracle
included the open-source MySQL database, which it acquired in
2010 as part of the Sun Microsystems acquisition.
5
• CNET Download.com. CNET Download.com was caught add-
ing spyware, adware, and other malware to thousands of software
packages that it distributes, including their Nmap Security Scanner.
They did this even though it clearly violated their own anti-adware
policy. (They did remove the anti-adware/spyware promise from the
page.) After widespread criticism of the practice, Download.com
removed its rogue installer from Nmap and some other software,
but the company still uses it widely and has announced plans to
expand it. For these reasons, we suggest avoiding CNET Download.
com entirely. It is safer to download apps from official sites or more
ethical aggregators such as FileHippo, NiNite, or Softpedia.
6
Using manual methods to find, select, monitor, and validate open-
source code is time-consuming, inefficient, and an unnecessary drain on
scarce development team resources. Automation through tools such as
Black Duck Software (www.blackducksoftware.com) or Palamida (www.
palameda.com) is essential to effectively and efficiently incorporate open-
source software into SDLC development efforts to drive down develop-
ment costs and manage the software and its security throughout the SDL.
Black Duck Software’s products and services allow organizations to ana-
lyze the composition of software source code and binary files, search for
reusable code, manage open-source and third-party code approval, honor
the legal obligations associated with mixed-origin code, and monitor
related security vulnerabilities.
7–9
Palamida enables organizations to man-
age the growing complexity of multisource development environments by
answering the question, “What’s in your code?” Through detailed analysis
of the code base, customers gain insight into their code inventory—a
critical component of quality control, risk mitigation, and vulnerability
assessment with the goal of eliminating legal and vulnerability concerns
associated with its use.
10