Black Duck, a company specializing in application security and open source compliance, has started a research institution to collect information about open source security vulnerabilities.

The Center for Open Source Research & Innovation (Cosri), announced the news yesterday during the Black Hat conference in Las Vegas.

Black Duck's technology scans a software repository, checking for license-compliance issues and known vulnerabilities. This is particularly helpful for checking the open source code that developers might be picking up from public repositories, company officials say.

Cosri is a chance for Black Duck to raise its profile in the security community. But the company also thinks the industry needs more of this type of research, considering open source code has become so prevalent. Open source code now makes up about 50 percent of the average application, estimates Cosri spokesman Brian Carter.

Cosri will overlap some of the work Black Duck already does, but the center will also be doing research into areas such as security tools. "The tools to identify vulnerabilities are not mature yet, not as mature as they're going to be," Carter says.

About 85 people, roughly one-third of the company, will be doing work related to Cosri, he says.

Black Duck will use the results in its own work and will share its findings with the industry. But Cosri isn't a consortium; it's a project that Black Duck wholly owns and operates.

If nothing else, Black Duck will provide an overview of the state of security in open source code, information that's not readily available to the industry today, Carter says.

Photo collage by Jessica Duensing for opensource.com, available on Flickr. CC2.0 license. photo has been cropped.