Unlike hardware, software is easily replicable, accessed, copied and re-used -- especially that it may appear to be cost free. But this does not mean it is free of licensing and copyright obligations which are enforceable by law -- sometimes with dire effects for the hapless purchaser who may end up with implied onerous obligations. Likewise, the manufacturer who is not careful to validate the pedigree of the code in their products; i.e. the provenance and the associated obligations of all software components, may end up with a lot of legal issues and face significant business risks when their products reach the market.
One such case was Cisco, who acquired Linksys in good faith and proceeded to distribute their products. Alas, Linksys had used a chip from a supplier who had used some outsource contractors to develop associated software. These sub-sub-contractors had used a piece of open source software that had a GPL license, which obliges the user to make whatever derivative software available as an open source item under that same GPL license. Nobody in the Cisco-Linksys-chip supplier chain was aware of this piece of code, but when legally challenged, Cisco had only two options to pursue: withdraw product from the market or make all the product source code available as open source. To the market delight, Cisco chose the second option for that specific product, but then went ahead and re-engineered the follow-on product line to eliminate the troublesome piece of code. This was a rather expensive lesson for Cisco, but it serves the industry for all to see the consequences of not making sure of the intellectual property (IP) and proper pedigree in their software.
This does not mean that outsourcing or the use of open source software is to be avoided. No, not at all. Open source is very valuable and its use has grown tremendously thanks to the wealth of source code available and its high degree of stability and security. The issue is not with the use of open source, but with its unmanaged adoption without proper care to the copyright and licensing obligations it entails.
What is required is that all software changing corporate hands comes with an associated "bill of materials" which fully records the components in the product, their provenance and the licensing and copyright obligations each of them entail, making sure that there are no incompatibilities or violations. This is a practice long adopted for hardwired products. The software industry has matured enough to include software IP management within the development and quality assurance process as it has been done for a long time in the "hardware industry."
Traditionally, IP cleanliness was checked manually through rather expensive expert analyses and due diligence processes, mostly undertaken in advance of important financial transactions -- a merger, an acquisition or a major commercial undertaking. Manual analyses are prone to error, consume expert resources, take a long time and are becoming prohibitively expensive nowadays, when software is so pervasive and the use of open source and outsourcing so prevalent.
Fortunately, nowadays there are tools at our disposal to do such pedigree analyses automatically -- on demand, on schedule or even in real time within the development process.
Some of these tools allow the analyses to be done in conjunction with corporate IP policies and lend themselves well to an institutionalization of proper record keeping and safe software development practices.
Corporate IP policies must be based on the organizations' business goals and they should be clear and enforceable. They need to show the acceptable licenses, the approved vendors, what is restricted, and what should be done if unknown or unacceptable code is being brought into the organization's software.
As the critical factors driving the economics of software management are the efforts to fix the software IP issues and the associated delays in product introduction to market, everything should be done to catch IP issues as soon as possible in the development process rather than wait until the product is finished.
The best results are obtained when record keeping and IP management are treated as integral parts of the software development and quality assurance process:
- Establishment and enforcement of an organization software IP policy commensurate with the corporate business goals;
- Analysis of the enterprise legacy code and the creation of an associated pedigree database;
- Interpretation of the existing software status vis-a-vis the organization's IP policy, with adequate follow-up actions to remedy any policy violations;
- Real-time gathering of software records for all new source code created or brought into the organization by its developers;
- Preventive analysis of each new software component to ensure that it meets the corporate IP policy;
- Alerting developers if code brought into the project does not meet corporate IP policy, together with instructions on what to do in order to alleviate the situation in real time;
- Completion of a "software bill of materials" which contains information on all components, including their origin, licensing obligations, supplier history, version, and all other pertinent information for proper life-time management.
Done properly, software IP management should be unobtrusive to the developers, requiring their attention only when code of unknown or unacceptable pedigree is brought into the software.
The need to ensure IP cleanliness of software intensive products is becoming truly acute in a down economy where risks must be mitigated as much as possible while competitiveness is getting fiercer. In a down economy, many businesses are forced to reduce costs and shorten time to market, which is leading to more use of external contractors and open source software. This makes it paramount for industrial managers to validate the IP cleanliness of their products and services before they reach the market.
Fortunately this can be achieved through application of recently available automatic tools for record keeping and source code portfolio management. Some of these software tools are truly affordable even for small companies, are easy to adopt and have proven useful in lowering development and due diligence costs, while shortening time to market, providing certification for clean IP software and reducing business risks inherent in commercial transactions.
Mahshad Koohgoli is the CEO of Protecode, Inc., based in Ottawa, Ontario, Canada. Sorin Cohn-Sfetcu has 30 years of international business and technology experience. He holds several patents in Web services, wireless, and digital signal processing. Protecode Inc. delivers products and services for software governance and Intellectual Property (IP) management. www.protecode.com.
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.