In the age of open source and large scale outsourcing, both assuring the quality of software and taking it to market means ascertaining its legal compliance as well. Numerous legal cases in recent years have highlighted the business risks and the enormous costs incurred when this is not done properly.
These costs stem from involvement in judicial procedures, software recalls, fixing legal compliance issues post-release and missed market opportunities caused by delays in the development process. Other consequences include lowered valuations in due diligence processes triggered by customers, potential or existing investors, mergers and acquisitions and other major transactions.
Software is a pervasive element in most products and processes, and over time, its sources have multiplied. Sources include internal developments, suppliers of sub-systems and chips, outsourced development contractors, open source repositories and the previous work of the developers themselves. Software, unlike hardware, is easily accessed, replicated, copied and re-used.
Open source software has become a significant player in most software development, thanks to the wide availability of source code, its apparent free cost and its high degree of stability and security. Open source code is generally free on the surface, but it's not without obligations. It comes laden with licensing and copyright conditions which are enforceable by law -- sometimes with dire effects for users who are not careful to validate the pedigree of the code in their products; i.e. the origin and any associated obligations of all software components.
This doesn't mean that leveraging outsourcing and/or open source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It's paramount that industrial managers validate the IP cleanliness of their products and services and ascertain that they meet all legal obligations before they reach the market by
Principle Aspects of Legal Compliance
Assuring compliance to legal obligations implies the following three major aspects:
- Definition of a corporate (or specific project) intellectual property (IP) policy which must be met by all associated products and services.
- The auditing of software to determine all implied legal obligations as per associated IP policy.
- The necessary fixes -- legal or development intensive -- such that all software components meet said IP policy.
The IP Policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality assurance departments.
Auditing software for legal compliance is a process that is traditionally only begun just before major commercial or financial events. It's a complex process: preparation, document review, management conferences, designer conferences, analysis, legal consulting and reporting. It is time consuming and expensive as it consumes valuable engineering, management and legal resources. Even then, in most cases, the results have been inaccurate as there are usually insufficient records on what is actually in the software. As these problems continue to emerge, automated tools for auditing the software composition and determining legal obligations have become an attractive option.
The "fixes" necessary to make the software legally compliant as per IP policy can be complex. Some software components may have to be replaced entirely due to IP infringement. This can be expensive, as new software components have to be found and the overall software needs to be re-tested. In other cases, it may be sufficient to formalize the assumptions of obligations as demanded by license or copyrights.
Bringing Legal Compliance Assurance into the Development Process
Mitigating business risks associated with software legal compliance is best addressed by building legal considerations into the development process itself. The following options address compliance measures at different points in the development process. Some of the options listed, such as periodic and real-time assessment, can be used in combination for best results.
Ignore: Deciding to ignore the compliance issue carries the lowest up-front cost but bears the highest risks.
Preventative -- Developer Training and Project Planning: Some companies -- especially small and mid-size ones -- consider that proper training and project planning is sufficient in normal situations, accepting to undertake an audit during imposed due-diligence efforts. Naturally, the more the developers are trained on matters of software legal compliance issues, the more effective the development process can be. This is, however, a rather expensive proposition, given the explosive growth in number of distinct software licenses, the high cost of developer training, and the constant churn within the development environment. With this option, compliance rests solely on developers and any assurances are their responsibility.
Post Development: Taking action later in the project lifecycle can take the form of external or internal auditing and impacts the final stages of testing and the quality assurance process. This option can bear higher costs due to professional services, the cost of any necessary changes to the software after the fact, subsequent re-testing and re-auditing. This option gets results, does not impact development workflow, and can be rendered more cost effective with software tools designed for this purpose. It can, however prolong the project lifecycle near the end, resulting in delays to the delivery of the final product that are hard to predict.
Periodic: Periodic auditing of software during development involves course corrections along the way if any policy violations are detected. This can be done with automatic tools and is less expensive than waiting until after the development process thanks to the shorter delays in getting the fixes done and re-tested.
Real-time: The most pro-active measure for software compliance assurance is to detect license violations immediately at the developer workstation in real time. The development process is not disturbed and the cost of corrections is minimized as any necessary corrections -- which might include justification of selection, code changes or replacement -- are done on the spot without involvement of other resources and without need for re-testing. This process can be automated via software tools in ways that are unobtrusive, easy to adopt and, most importantly, do not require developer training in matters of legal compliance. Detecting possible violations in real-time is the most cost efficient and lowest risk option in the long term.
The later in the software lifecycle such fixes are affected, the more expensive they become. If the legal compliance issues are discovered during the development process, the fixes become less onerous and the business risks are reduced.
Bringing Legal Compliance into the Software Product Lifecycle
From a business and product management perspective, legal compliance goes beyond the development process and needs to be dealt with at project conception and from a customer standpoint. The critical elements of effective software IP management in an organization are:
- Existence of an IP policy for each project undertaken and a process to disseminate and apply it. Corporate IP policies must be based on the organizations' business goals and they should be clear and enforceable.
- Processes and tools for ascertaining the legal obligations and managing the IP of software created and/or acquired in the organization.
- Software Bill of Materials (BoM) that fully records the components in the product, their provenance and the licensing obligations they entail. An adequate BoM is instrumental in determining the legal compliance of the software.
- Assurance and support for customers concerning the quality and IP cleanliness of software provided.
These elements provide a basis for meeting legal compliance with respect to the lifecycle of the software product from conception to delivery.
With respect to the tools available, modern software IP management applications simplify and enable safe open source adoption, giving developers the freedom to select the best solutions in accordance with the corporate IP policy. For instance, these tools can support pedigree analysis and IP policy violation detection automatically -- on demand, on schedule or even in real time within the development process. They can also provide a BoM on demand. Taken together, these IP management features deliver higher value and provide customer assurances.
As the critical factors driving the economics of software IP management are the efforts to fix the software IP issues and minimize the associated delays in product introduction to market, everything should be done to ensure its legal compliance throughout its lifecycle for maximized cost efficiencies and minimized risk. As companies continue to leverage third party code, legal compliance issues become increasingly integral to business priorities. Consciously implementing measures for legal compliance in the development process itself as well as incorporating aspects of effective software IP management into the organization are now crucial for any entity concerned with software development and delivery.
Sorin Cohn-Sfetcu has 30 years of international business and technology experience. He holds several patents in Web services, wireless, and digital signal processing. Kamal Hassin is a thought-leader in the area of open source licensing and is the author or co-author of a number of papers on Software Intellectual Property management. Protecode delivers products and services for software governance and Intellectual Property (IP) management. http://www.protecode.com.
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.