Legal Compliance: From Software Development to Delivery
Sorin Cohn-Sfetcu, Protecode
Kamal Hassin, Protecode
Editor's note: Did you miss our SOA in Action Virtual Conference?
Replay sessions right here.
In the age of open source and large scale outsourcing, both assuring the quality
of software and taking it to market means ascertaining its legal compliance
Numerous legal cases in recent years have highlighted the business risks and
the enormous costs incurred when this is not done properly. These costs stem
from involvement in judicial procedures, software recalls, fixing legal compliance
issues post-release, and missed market opportunities caused by delays in the
development process. Other consequences include lowered valuations in due diligence
processes triggered by customers, potential or existing investors, mergers and
acquisitions, and other major transactions.
Software is a pervasive element in most products and processes, and over time,
its sources have multiplied. Sources include internal developments, suppliers
of sub-systems and chips, outsourced development contractors, open source repositories
and the previous work of the developers themselves. Software, unlike hardware,
is easily accessed, replicated, copied and re-used.
Open source software has become a significant player in most software development,
thanks to the wide availability of source code, its apparent free cost and its
high degree of stability and security. Open source code is generally free on
the surface, but it's not without obligations. It comes laden with licensing
and copyright conditions which are enforceable by law -- sometimes with dire
effects for users who are not careful to validate the pedigree of the code in
their products; i.e. the origin and any associated obligations of all software
This doesn't mean that leveraging outsourcing and/or open source software is
to be avoided. The issue is not with the use of open source, but with unmanaged
adoption and lack of proper care to the copyright and licensing obligations
it entails. It's paramount that industrial managers validate the IP cleanliness
of their products and services and ascertain that they meet all legal obligations
before they reach the market.
Principle aspects of legal compliance
Assuring compliance to legal obligations implies the following three major
- Definition of a corporate (or specific project) intellectual property (IP)
policy which must be met by all associated products and services.
- The auditing of software to determine all implied legal obligations as per
associated IP policy.
- The necessary fixes -- legal or development intensive -- such that all software
components meet said IP policy.
The IP Policy must be defined in accordance with both the business goals of
the organization and its engineering processes. Therefore, it requires the involvement
of business and engineering managers, as well as the proper legal counsel. The
policy must be clear and enforceable. It should be captured for distribution
and application within the development and quality assurance departments.
Auditing software for legal compliance is a process that is traditionally only
begun just before major commercial or financial events. It's a complex process:
preparation, document review, management conferences, designer conferences,
analysis, legal consulting and reporting. It is time consuming and expensive
as it consumes valuable engineering, management and legal resources.
Even then, in most cases, the results have been inaccurate as there are usually
insufficient records on what is actually in the software. As these problems
continue to emerge, automated tools for auditing the software composition and
determining legal obligations have become an attractive option.
The "fixes" necessary to make the software legally compliant as per
IP policy can be complex. Some software components may have to be replaced entirely
due to IP infringement. This can be expensive, as new software components have
to be found and the overall software needs to be re-tested. In other cases,
it may be sufficient to formalize the assumptions of obligations as demanded
by license or copyrights.
Bringing legal compliance assurance into the development process
Mitigating business risks associated with software legal compliance is best
addressed by building legal considerations into the development process itself.
The following options address compliance measures at different points in the
development process. Some of the options listed, such as periodic and real-time
assessment, can be used in combination for best results.
Deciding to ignore the compliance issue carries the lowest up-front cost but
bears the highest risks.
Preventative -- developer training and project planning:
Some companies -- especially small and mid-size ones -- consider that proper
training and project planning is sufficient in normal situations, accepting
to undertake an audit during imposed due-diligence efforts.
Naturally, the more the developers are trained on matters of software legal
compliance issues, the more effective the development process can be. This is,
however, a rather expensive proposition, given the explosive growth in number
of distinct software licenses, the high cost of developer training, and the
constant churn within the development environment. With this option, compliance
rests solely on developers and any assurances are their responsibility.
Taking action later in the project lifecycle can take the form of external
or internal auditing and impacts the final stages of testing and the quality
assurance process. This option can bear higher costs due to professional services,
the cost of any necessary changes to the software after the fact, subsequent
re-testing and re-auditing.
This option gets results, does not impact development workflow, and can be
rendered more cost effective with software tools designed for this purpose.
It can, however, prolong the project lifecycle near the end, resulting in delays
to the delivery of the final product that are hard to predict.
Periodic auditing of software during development involves course corrections
along the way if any policy violations are detected. This can be done with automatic
tools and is less expensive than waiting until after the development process
thanks to the shorter delays in getting the fixes done and re-tested.
The most pro-active measure for software compliance assurance is to detect
license violations immediately at the developer workstation in real time. The
development process is not disturbed and the cost of corrections is minimized
as any necessary corrections -- which might include justification of selection,
code changes or replacement -- are done on the spot without involvement of other
resources and without need for re-testing.
This process can be automated via software tools in ways that are unobtrusive,
easy to adopt and, most importantly, do not require developer training in matters
of legal compliance. Detecting possible violations in real-time is the most
cost efficient and lowest risk option in the long term.
The later in the software lifecycle such fixes are affected, the more expensive
they become. If the legal compliance issues are discovered during the development
process, the fixes become less onerous and the business risks are reduced.
Bringing legal compliance into the software product lifecycle
From a business and product management perspective, legal compliance goes beyond
the development process and needs to be dealt with at project conception and
from a customer standpoint. The critical elements of effective software IP management
in an organization are:
- Existence of an IP policy for each project undertaken and a process to disseminate
and apply it. Corporate IP policies must be based on the organizations' business
goals and they should be clear and enforceable.
- Processes and tools for ascertaining the legal obligations and managing
the IP of software created and/or acquired in the organization.
- Software Bill of Materials (BoM) that fully records the components in the
product, their provenance and the licensing obligations they entail. An adequate
BoM is instrumental in determining the legal compliance of the software.
- Assurance and support for customers concerning the quality and IP cleanliness
of software provided.
These elements provide a basis for meeting legal compliance with respect to
the lifecycle of the software product from conception to delivery.
With respect to the tools available, modern software IP management applications
simplify and enable safe open source adoption, giving developers the freedom
to select the best solutions in accordance with the corporate IP policy. For
instance, these tools can support pedigree analysis and IP policy violation
detection automatically - on demand, on schedule or even in real time within
the development process. They can also provide a BoM on demand. Taken together,
these IP management features deliver higher value and provide customer assurances.
As the critical factors driving the economics of software IP management are
the efforts to fix the software IP issues and minimize the associated delays
in product introduction to market, everything should be done to ensure its legal
compliance throughout its lifecycle for maximized cost efficiencies and minimized
As companies continue to leverage third party code, legal compliance issues
become increasingly integral to business priorities. Consciously implementing
measures for legal compliance in the development process itself as well as incorporating
aspects of effective software IP management into the organization are now crucial
for any entity concerned with software development and delivery.
About the Authors
Sorin Cohn-Sfetcu has 30 years of international business and technology experience. He holds several patents in Web services, wireless, and digital signal processing. He can be contacted at firstname.lastname@example.org.More by Sorin Cohn-Sfetcu
Kamal Hassin is a thought-leader in the area of open source licensing and is the author or co-author of a number of papers on Software Intellectual Property management. Hassin has a Bachelor of Engineering degree and a Masters degree in Technology Innovation Management from Carleton University. He can be reached at email@example.com.More by Kamal Hassin
Protecode has the world’s fastest and most reliable software intellectual property (IP) engine, allowing real-time detection and management of external licensing and copyright issues as they arise. Built for ease-of-use, Protecode makes leveraging open source and third party software a straightforward process for organizations of all sizes. Detect common code early, obtain a bill of materials, understand licensing obligations and achieve mandated IP governance all seamlessly within established workflows. Protecode’s portfolio of solutions enables enterprises worldwide to control costs and to dramatically increase and protect software asset value. For more information and to download a trial please visit us at http://www.protecode.com.