In the age of open source and large-scale outsourcing, ascertaining the legal compliance of software is just as important as assuring the quality before pressing it into production. Numerous legal cases have highlighted the business risks and enormous costs incurred when compliance is not done properly -- costs stemming from judicial procedures, recalls, fixing issues post-release and missed market opportunities.
Software is a pervasive element in most products and processes, and over time, its sources have multiplied. Sources include internal development, suppliers of sub-systems and chips, outsourced contractors, open source repositories and the previous work of the developers themselves. Unlike hardware, software is easily accessed, replicated, copied and re-used.
Open source software has become a significant player in most development, due to the wide availability of source code, its low cost and its high degree of stability and security. Open source code is generally free on the surface, but it's not without obligations. It comes laden with licensing and copyright conditions which are enforceable by law -- sometimes with dire effects for users who are not careful to validate the origin and any associated obligations of all software components in their products.
This doesn't mean that leveraging outsourcing and/or open source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It's paramount that you validate the IP cleanliness of your products and services and ascertain that they meet all legal obligations before they are employed.
Principle aspects of legal compliance
Assuring compliance to legal obligations implies the following three major aspects:
1. Definition of a corporate (or specific project) intellectual property policy which must be met by all associated products and services.
2. The auditing of software to determine all implied legal obligations as per associated intellectual property policy.
3. The necessary fixes -- legal or development intensive -- such that all software components meet said intellectual property policy.
The policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality-assurance departments.
From the perspective of an enterprise software buyer, all externally written software should be audited for compliance with the enterprise's intellectual property policy. If the software has been pre-audited by the supplier, then so much the better, but it's also important to consider the usage of the software at the enterprise level. Intellectual property obligations impact more than software content; it impacts downstream usage, and enterprises should be aware of potential compliance issues throughout the software food chain. Auditing and detection can be accomplished by automated tools or manual audits.
Any "fixes" necessary to make the software legally compliant can be complex. Some software components may have to be replaced entirely due to IP infringement. This can be expensive, as new software components have to be found and the overall software needs to be re-tested. In other cases, it may be sufficient to formalize the assumption of obligations as demanded by license or copyrights, and ensure consistent compliance going forward. In all cases, the earlier legal compliance is addressed, the less costly it is for the company should issues arise.
Managing software legal compliance
Legal compliance goes beyond the development process and needs to be dealt with at conception. The critical elements of effective software IP management in an organization are:
* Existence of an IP policy for each project undertaken and a process to disseminate and apply it. Corporate intellectual property policies must be based on the organization's business goals and they should be clear and enforceable.
* Processes and tools for ascertaining the legal obligations and managing the intellectual property of software created and/or acquired in the organization.
* Software Bill of Materials (BoM) that fully record the components in the product, their provenance and the licensing obligations they entail. An adequate BoM is instrumental in determining the legal compliance of the software.
* Assurance and support for customers concerning the quality and IP cleanliness of software provided.
These elements provide a basis for meeting legal compliance for safe software use.
With respect to performing audits, managing software and assembling a BoM, modern software IP management applications simplify and enable safe open source adoption, giving enterprises the freedom to select the best solutions in accordance with corporate intellectual property policy. These tools can support pedigree analysis and intellectual property policy violation detection automatically -- on demand, on schedule or even in real time within the development process. They can also provide a BoM on demand. Taken together, these intellectual property management features deliver higher value and provide customer assurances.
As companies continue to leverage third-party code, legal compliance issues become increasingly integral to business priorities. Consciously implementing measures for legal compliance in the development process itself, as well as incorporating aspects of effective software intellectual property management into the organization, are now crucial for any entity concerned with software.
Cohn-Sfetcu (firstname.lastname@example.org) is an executive management consultant and Hassin is a thought-leader in the area of open source licensing (email@example.com) with Protecode, which offers the world's fastest and most reliable software intellectual property engine, allowing real-time detection and management of external licensing and copyright issues as they arise.
Read more about software in Network World's Software section.
This story, "Managing software legal compliance" was originally published by Network World.