Software is everywhere -- in mobile devices, commercial equipment, desktop applications, network servers and more. It's difficult to find a device that doesn't contain software. But where does that software come from?
Developers increasingly supplement custom coding with outsourced code, commercial libraries and open source software. Open source has become a significant component of all software development, intentionally and sometimes unintentionally, thanks to the abundance of available code, its apparent free cost, and a high degree of stability and security. But while open source code can appear to be free, it is not without obligation. It typically comes laden with licensing and copyright responsibilities that are enforceable by law. Even accidental infringements can result in fines and injunctions which can play havoc with manufacturing schedules, inventory control and supply chain management. It is prudent that organizations manage their license obligations when they are incorporating software from a variety of sources. Ignoring these obligations or simply being ignorant of them can have dire consequences, as some recent legal cases have shown.
There are a number of approaches to license management, ranging from doing nothing to fully automated real-time scanning of software to detect and report license obligations. All approaches can be viewed from a cost perspective, with the aim of maximizing developer productivity while minimizing legal risk.
So let's look at a cost model for ensuring legal compliance that takes into account factors such as the extent of open source usage in a product, the extent to which the content violates an organization's licensing policies, the probability of detecting a violation after a product launch, and the cost of fixing any problems at different stages during a product's development.
Options for Managing Open Source Licensing
The following options are available to address license compliance at different points in the development process.
- Do nothing: popular until recently, this option ignores the compliance issue because it carries the lowest up-front cost, but imposes the highest business risks and largest corrective costs as a product moves closer to launch.
- Developer training and project planning: many companies consider proper training and project planning sufficient in most cases, but it also carries increasing risk because of broadening software license diversity and the cost of developer training. Compliance depends solely on developers and there is consequently no reliable assurance of legal compliance before going to market.
- Post-development license analysis and correction: action taken late in the development cycle can take the form of external or internal audits, and impacts the final stages of testing and quality process. This option does not impact the development workflow and can be automated with software tools designed for this purpose. However, if license violations are discovered, this will prolong the project lifecycle and increase development cost.
- Periodic assessment: licensing analysis during development allows for corrections along the way if license violations are detected. This type of analysis can be automated and tends to be less expensive than post-development assessment since changes and re-tests are always easier to undertake earlier rather than later in the cycle.
- Real-time preventive assistance at the developer workstation: the most pro-active way of ensuring license compliance detects violations immediately and automatically at the developer workstation in real-time. The development process is not disturbed, and the cost of corrections is minimized, as any necessary corrections are done immediately without calling on external resources or requiring re-testing. The process can be automated using unobtrusive software tools that do not require developers to be trained in legal compliance. Managing licenses in real-time is generally the most cost efficient and lowest risk option.
Automated Software Scanning and License Management Tools
Tools are available to automate these options by scanning software to detect licensing policy violations. They can operate on demand, on a periodic schedule or in real-time within the development process. Generally such tools find compliance problems sooner, lowering the overall cost of license compliance. Some automated software scanning solutions allow software analyses to be done in accordance with corporate IP policies. These lend themselves well to instituting proper record keeping and safe software development practices.
The licensing management cost model considers the following scenarios:
Costs to Detect and Fix Licensing Policy Violations
- $20,000 average cost of licensing non-compliance discovered in the field. The worst case is where violations are discovered in a released product. In such cases, costs are much higher because of legal expenses and the higher inherent cost of 'fixing' a finished product. Not taking into account the prospect of going to court, the costs can start $5,000 and potentially stretch beyond $50,000.
- $1,500 average cost of licensing non-compliance discovered during quality assurance. A policy violation detected at the QA test stage usually involves testing personnel, development managers and developers in ultimately deciding what has to be done to implement the necessary correction (typically, replace the offending code). This may take more than one person-day of work and usually ranges between $500 and $3,000.
- $40 average cost to fix a policy violation discovered at the developer's workstation. This may take only minutes of the developer's time and does not involve any other expensive resources. Therefore, the cost, based on the time taken, for fixing issues right at the developer workstation could range between $25 and $60.
To illustrate a diversity of project scenarios, a range of project sizes ranging from 2,000 codes files up to 100,000 code files have been evaluated. For each project size the overall cost of open source licensing compliance is calculated for the following approaches:
- Do nothing, post-development compliance;
- Pre-release licensing assessment and correction;
- Real-time automated desktop scanning.
An interesting observation is that varying the assumptions does not affect the generality of results. This leads to a set of 'takeaway learnings' from the analysis:
- The larger the project, the higher the number of components and the larger the number of corresponding license violations, thus there is a higher probability of being 'caught' in the field, with the associated cost of adjustment.
- Ignoring licensing compliance can be costly, and it is difficult to put an upper limit on the cost of shipping non-compliant software.
- Corrective analysis, using automated tools at regular intervals and during QA reduces the overall cost significantly.
- Combining real-time IP management at the developer's desktop with scanning at QA or build-time reduces the cost of potential non-compliance significantly.
Proper licensing and copyright compliance, implemented as part of the normal QA process, can yield savings of between and 40% and 65%, relative to the potential costs of non-compliance. Combining QA testing with preventive tools for software license management at the developer's workstation can raise the level of savings to over 85%.
Kamal Hassin, Director, R&D and Product Management at Protecode (www.protecode.com), is a thought-leader in the area of open source licensing and is the author or co-author of a number of papers on Software Intellectual Property management. Kamal has a Bachelor of Engineering degree and a Masters degree in Technology Innovation Management from Carleton University. He can be reached at [email protected].
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.