February 22, 2010, 8:53 PM — In the age of open source and large-scale outsourcing, ascertaining the legal compliance of software is just as important as assuring the quality before pressing it into production. Numerous legal cases have highlighted the business risks and enormous costs incurred when compliance is not done properly -- costs stemming from judicial procedures, recalls, fixing issues post-release and missed market opportunities.
Software is a pervasive element in most products and processes, and over time, its sources have multiplied. Sources include internal development, suppliers of sub-systems and chips, outsourced contractors, open source repositories and the previous work of the developers themselves. Unlike hardware, software is easily accessed, replicated, copied and re-used.
Open source software has become a significant player in most development, due to the wide availability of source code, its low cost and its high degree of stability and security. Open source code is generally free on the surface, but it's not without obligations. It comes laden with licensing and copyright conditions which are enforceable by law -- sometimes with dire effects for users who are not careful to validate the origin and any associated obligations of all software components in their products.
This doesn't mean that leveraging outsourcing and/or open source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It's paramount that you validate the IP cleanliness of your products and services and ascertain that they meet all legal obligations before they are employed.
Principle aspects of legal compliance
Assuring compliance to legal obligations implies the following three major aspects:
1. Definition of a corporate (or specific project) intellectual property policy which must be met by all associated products and services.
2. The auditing of software to determine all implied legal obligations as per associated intellectual property policy.
3. The necessary fixes -- legal or development intensive -- such that all software components meet said intellectual property policy.
The policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality-assurance departments.