In the age of open source and large scale outsourcing, both assuring the quality of software and taking it to market means ascertaining its legal compliance as well. Numerous legal cases in recent years have highlighted the business risks and the enormous costs incurred when this is not done properly. These costs stem from involvement in judicial procedures, software recalls, fixing legal compliance issues post-release, and missed market opportunities caused by delays in the development process. Other consequences include lowered valuations in due diligence processes triggered by customers, potential or existing investors, mergers and acquisitions, and other major transactions.
Software is a pervasive element in most products and processes, and over time, its sources have multiplied. Sources include internal developments, suppliers of sub-systems and chips, outsourced development contractors, open source repositories and the previous work of the developers themselves. Software, unlike hardware, is easily accessed, replicated, copied and re-used.
Open source software has become a significant player in most software development, thanks to the wide availability of source code, its apparent free cost and its high degree of stability and security. Open source code is generally free on the surface, but it's not without obligations. It comes laden with licensing and copyright conditions that are enforceable by law - sometimes with dire effects for users who are not careful to validate the pedigree of the code in their products; i.e., the origin and any associated obligations of all software components.
This doesn't mean that leveraging outsourcing or open source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It is paramount that industrial managers validate the IP cleanliness of their products and services and ascertain that they meet all legal obligations before they reach the market by
Principle Aspects of Legal Compliance
Assuring compliance to legal obligations implies the following three major aspects:
- Definition of a corporate (or specific project) intellectual property (IP) policy which must be met by all associated products and services.
- The auditing of software to determine all implied legal obligations as per associated IP policy
- The necessary fixes - legal or development intensive - such that all software components meet said IP policy.
The IP Policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality assurance departments.
Auditing software for legal compliance is a process that is traditionally only begun just before major commercial or financial events. It's a complex process: preparation, document review, management conferences, designer conferences, analysis, legal consulting and reporting. It is time consuming and expensive as it consumes valuable engineering, management and legal resources. Even then, in most cases, the results have been inaccurate as there are usually insufficient records on what is actually in the software. As these problems continue to emerge, automated tools for auditing the software composition and determining legal obligations have become an attractive option.
The "fixes" necessary to make the software legally compliant as per IP policy can be complex. Some software components may have to be replaced entirely due to IP infringement. This can be expensive, as new software components have to be found and the overall software needs to be re-tested. In other cases, it may be sufficient to formalize the assumptions of obligations as demanded by license or copyrights.
Bringing Legal Compliance Assurance into the Development Process
Mitigating business risks associated with software legal compliance is best addressed by building legal considerations into the development process itself. The following options address compliance measures at different points in the development process. Some of the options listed, such as periodic and real-time assessment, can be used in combination for best results.
Ignore: Deciding to ignore the compliance issue carries the lowest up-front cost but bears the highest risks.
Preventative - Developer Training and Project Planning: Some companies - especially small and mid-size ones - consider that proper training and project planning is sufficient in normal situations, accepting to undertake an audit during imposed due-diligence efforts. Naturally, the more the developers are trained on matters of software legal compliance issues, the more effective the development process can be. This is, however, a rather expensive proposition, given the explosive growth in number of distinct software licenses, the high cost of developer training, and the constant churn within the development environment. With this option, compliance rests solely on developers and any assurances are their responsibility.
Post Development: Taking action later in the project lifecycle can take the form of external or internal auditing and impacts the final stages of testing and the quality assurance process. This option can bear higher costs due to professional services, the cost of any necessary changes to the software after the fact, subsequent re-testing and re-auditing. This option gets results, does not impact development workflow, and can be rendered more cost effective with software tools designed for this purpose. It can, however prolong the project lifecycle near the end, resulting in delays to the delivery of the final product that are hard to predict.
Periodic: Periodic auditing of software during development involves course corrections along the way if any policy violations are detected. This can be done with automatic tools and is less expensive than waiting until after the development process thanks to the shorter delays in getting the fixes done and re-tested.
Real-time: The most pro-active measure for software compliance assurance is to detect license violations immediately at the developer workstation in real time. The development process is not disturbed and the cost of corrections is minimized as any necessary corrections, which might include justification of selection, code changes or replacement, are done on the spot without involvement of other resources and without need for re-testing. This process can be automated via software tools in ways that are unobtrusive, easy to adopt and, most importantly, do not require developer training in matters of legal compliance. Detecting possible violations in real-time is the most cost efficient and lowest risk option in the long term.