SAP asks Microsoft, Apple to share hacker-fighting intelligence

[FRANKFURT] SAP SE is trying to marshal business technology's biggest suppliers to gather hacker-fighting intelligence following a spate of security problems with open-source software.

The biggest maker of business applications has contacted companies including Microsoft Corp and Apple Inc about sharing information on analyses of the weaknesses in open-source code, which is generally free to run and available for the user community to improve, according to Gordon Muehl, chief technology officer for security at Walldorf, Germany-based SAP.

More cooperation among the business-software makers could help stanch security flaws found in the open-source programs, which increasingly touch online services and devices used by billions of people. A flaw called Heartbleed, discovered last spring, left hundreds of thousands of servers and routers vulnerable to attack. Another one, Shellshock, emerged in September.

"In the aftermath of Heartbleed, it's clear open source isn't totally secure," Mr Muehl said. "A computer program looks at the code and says, 'This or that might be a problem'. Those computer programs only give you a 'might be,' so you need expert work to look into that."

Mr Muehl plans to address managers from International Business Machines Corp, Microsoft and about 20 other companies about his proposal in March. He spoke with Apple Chief Information Officer Niall O'Connor about it in October.

Steve Lipner, Microsoft's software security director, said in an e-mail the company is optimistic about the SAP initiative and is reviewing a white paper Muehl's team shared. IBM representatives didn't immediately have a comment. An Apple representative in London didn't return calls seeking comment.

Mr Muehl will present more details of the proposal at the next meeting of the Linux Foundation's Core Infrastructure Initiative, an industry effort to identify and fix open-source components whose security maintenance had languished, said Jim Zemlin, president of the San Francisco-based trade group, which supports development of the open-source operating system.

Apple pushed out an automatic security update to its Macintosh computers in late December to fix a security problem in open-source software included in the OS X operating system.

Mr Muehl "sees a way to solve both his issue and everybody's else's," Mr Zemlin said. "It's not often a global software company comes to you and says, 'I want to do something that helps everybody.'"

Open-source software, developed by programmers working for different organizations, helps power many of the Internet's most ubiquitous tools. Services from Facebook Inc and Google Inc, and Apple's iPhone all make broad use of the software. SAP, IBM and Oracle Corp use open-source components inside systems they sell to businesses.

In November, Microsoft released its .Net programming tools for corporate software under an open-source license, letting developers write code that can run on Windows, the Mac, and the open-source Linux operating system.

The cross-platform sharing means technology companies are interdependent on each other's inventions. SAP ships IBM's Eclipse development tools in its Hana data-analysis software, uses the OpenStack platform software for its cloud computing services, and ships other open-source components including the Apache Web server and OpenUI5 tool kit for writing Web applications.

The company, on track for 19.2 billion euros (US$21.6 billion) in sales this year, is moving more of its products to the cloud, an effort that's squeezing profit margin.

Mr Muehl's idea is to have many companies scan for problems in the open-source programs they all use, then share findings about which components are clean and which need improvements.

"We need to check the security anyhow. Why not publish that so it gets better over time?" he said. "Because we only have a limited number of experts, the whole industry is struggling."

SAP may fold a shared database of source-code security analysis into the Core Infrastructure Initiative, Mr Muehl said. The group, formed last year, has raised US$6 million so far to triage and fix weaknesses in open-source code, according to Zemlin.

The initiative's members are a who's who of the technology industry, including Google, Facebook, Microsoft, IBM, Intel Corp, Cisco Systems Inc, and VMware Inc. Hewlett-Packard Co, Salesforce.com Inc and Bloomberg LP, the parent company of Bloomberg News, are also members.

BLOOMBERG