Encryption Algorithms Widely Embedded in Open Source Software
Black Duck Export 5.0 Release Helps Developers Manage Export Compliance
WALTHAM, Mass., October 21, 2009 - Companies that use open source code in commercial products face a hidden threat from the undetected presence of encryption algorithms, says Black Duck Software, the leading global provider of products and services for accelerating software development through the managed use of open source software.
A search of the Black Duck® KnowledgeBase™, which contains information on more than 220,000 open source projects with tens of billions of lines of code, revealed that over 4,000 projects include encryption algorithms strong enough to require a filing with the US Department of Commerce Bureau of Industry and Security (BIS), if the code is exported from the US. From a regulatory perspective, companies assume responsibility for the encryption content of any open source code in their commercial products, whether sourced from the OSS community or developed in-house. Open source projects, on the other hand, are allowed to publish software containing encryption under license exception TSU. This special exemption is further explained in Black Duck's guide to export laws for open source software referenced below. Violators of US encryption export controls can be subject to significant fines and even imprisonment.
The Black Duck analysis also uncovered an additional 3,900 projects that could potentially require a BIS filing. For example, some projects use algorithms that support a variable key length that, if sufficiently strong, would fall under strict controls.
“Software that uses encryption, even common encryption for only a minor function, must comply with encryption export control requirements,” said export regulation compliance expert Benjamin H. Flowe, Partner, Berliner, Corcoran & Rowe, L.L.P. “It is awkward at best to discover encryption functions only after a company or project has been exporting code.”
The Black Duck analysis also identified the top encryption algorithms present in open source software.
Top 10 Encryption Algorithms Used in Open Source Projects
Black Duck Export 5.0 Helps Developers Identify Encryption Algorithms
The release of Black Duck’s analysis of encryption in open source projects coincides with the 5.0 release of Black Duck Export, a component of the Black Duck Suite which assists companies in complying with export regulations by scanning software and identifying the presence of encryption algorithms. In today’s multi-source development process, developers increasingly download and integrate open source from the Internet. Software tools are needed to assist developers in uncovering what’s in the code they use and controlling its use. Black Duck Export 5.0, which features more than 450 encryption algorithms, has been enhanced with the latest changes to US export regulations to help companies address these challenges.
“With software reuse on the rise, many companies are unaware of hidden encryption technology in their software product and the potential ramifications for exporting the product,” said Eran Strod, Director of Product Marketing, Black Duck Software. “Ballooning code bases pose challenges to uncovering hidden encryption algorithms. Black Duck Export enables companies to detect encryption vulnerabilities and comply with regulations proactively.” Filing requirements for open source projects are generally much simpler than those for commercial products that include open source code.
About Black Duck Software
Black Duck Software is the leading provider of products and services for automating the management, governance and secure use of open source software, at enterprise scale, in a multi-source development process. Black Duck™ enables companies to shorten time-to-market and reduce development costs while mitigating the management, security and compliance challenges associated with open source software. Black Duck Software powers Koders.com, the industry’s leading code search engine for open source, and is among the 500 largest software companies in the world, according to Softwaremag.com. The company is headquartered near Boston and has offices in San Francisco, Paris, Tokyo and Hong Kong, as well as distribution partners throughout the world.
Black Duck, Know Your Code and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and other jurisdictions. Koders is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders.
Black Duck Software