Software is everywhere. It's in mobile devices, commercial equipment, desktop applications and network servers. The productivity to create the software that powers these applications stems from intensive reuse, with developers increasingly supplementing custom coding with outsourcing, commercial libraries and open source.
Open source software has become a significant component of all software development activities, intentionally and sometimes unintentionally, thanks to the abundance of available code, its apparent free cost, and high degree of stability and security. But while open source appears to be cost free, it is not without obligations, as it comes laden with licensing and copyright responsibilities that are enforceable by law. Even accidental infringements can result in fines and injunctions, making it prudent for software development organizations to manage their license obligations as they incorporate software from a variety of sources. Lack of knowledge about these obligations and ignoring them can lead to dire consequences for technology firms, and some of the ensuing legal cases have been well documented.
This does not mean that open source usage should be avoided. The cause for concern is not with the use of open source, but rather with unmanaged licensing obligations. It is important for software organizations to establish appropriate IP policies that determine what specific open source licenses and license terms are acceptable for their business before products go to market.
There are a number of approaches to license management, ranging from "do nothing" to real-time automated scanning of software to detect and report license obligations. All of these approaches can be viewed from a cost perspective, to maximize developer productivity while minimizing legal risk. A cost model for software legal compliance is presented in this article. This cost model takes into account factors such as the extent of the open source usage in a product, the extent to which the content violates an organization's licensing policies, the probability of detecting a violation after a product launch, versus the cost associated with fixing the problem at different stages of the product development life cycle. The model examines various approaches and scenarios for managing license compliance as part of a Software Development Quality Process.
Options for Managing Open Source Licensing
Licensing compliance assessment is often undertaken in advance of important transactions such as a company investment, merger/acquisition, or a major product release. However, mitigating business risks associated with software license compliance is best addressed by adopting a process within an organization's Software Development Quality Process. The following options are available to organizations to address license compliance at different points in the development process.
Do-Nothing: Popular up until recently, this option ignores the compliance issue because it carries the lowest up-front cost, but bears the highest business risks and largest corrective costs post market introduction.
Developer Training and Project Planning: Some companies consider that proper training and project planning is sufficient in normal situations. This is, however an overall expensive proposition given the growth in software license diversity and the cost of developer training. With this option, compliance depends solely on developers and there is still no assurance of legal compliance before going to market.
Post-Development Licensing Analysis and Correction: Taking action later in the project lifecycle can take the form of external or internal auditing, and impacts the final stages of testing and quality process. This option does not impact development workflow and can be automated with software tools designed for this purpose. Nevertheless if license violations are discovered, this will prolong the project lifecycle resulting in increased costs and unpredictable delays to the delivery of the final product.
Periodic Assessment: Periodic licensing analysis during development leads to corrections along the way if license violations are detected. This type of analysis can be automated and tends to be less expensive than post-development assessment since changes and re-tests can be done earlier in the development cycle.
Real-time Preventive Assistance at the Developer Workstation: The most pro-active measure for software licensing compliance is to detect license violations immediately and automatically at the developer workstation in real-time. The development process is not disturbed, and the cost of corrections is minimized, as any necessary corrections are done immediately without involvement of other resources and without need for re-testing. This process can be automated via software tools that are unobtrusive and do not require developer training in matters of legal compliance. Managing licensing in real-time is generally the most cost efficient and lowest risk option in the long term.
Automated Software Scanning and Licensing Management Tools
Fortunately, there are tools available to automatically scan software to detect all licensing policy violations. These tools can operate on demand, on a periodic schedule or in real-time within the development process. Generally these tools find compliance problems sooner, thus lowering the overall cost of license compliance. Some automated software scanning solutions allow software analyses to be done in accordance with corporate IP policies. These lend themselves well to instituting proper record keeping and safe software development practices. Most software IP scanning and licensing analysis tools have an accuracy of between 80% and 98% depending on the accuracy of the analysis engine and the size of the open source reference database.
The licensing management cost model is driven by a series of parameters. To illustrate, we will use the following base case as an example.
Project Open Source Usage
- 45% of software components in the project are open source.
- 4% of the open source content is in violation of the corporate IP policy.
Automated Software Scanning Accuracy. For scenarios where an automated solution is used we assume:
- 95% of licensing violations will be detected at the system audit stage before a product is released.
- 98% of licensing policy violations will be detected at the developer's workstation if a real-time solution is employed.
Costs to Detect and Fix Licensing Policy Violations
- $20,000 average cost to handle licensing non-compliance discovered in the field. The worst case is to have license or copyright violations discovered in a released product. In such cases the costs are much higher due to involvement of legal personnel and the corrections necessary after product release. Not taking into account the prospect of going to court, the costs can be anywhere between $5,000 and beyond $50,000.
- $1,500 average cost to handle licensing non-compliance discovered during product QA. A policy violation detected at the QA testing stage usually involves testing personnel, development managers and developers in order to decide what to be done and implement the necessary correction (for example, replace the offending code). This may take more than 1 person-day of work and usually ranges between $500 and $3,000. For this example, we will assume $1,500 cost of fixing a problem at the QA stage.
- $40 average cost to fix a policy violation discovered at the developer's workstation. This may take only minutes of the developer's time and does not involve any other expensive resources. Therefore, the cost, based on the time taken, for fixing issues right at the developer workstation could range between $25 and $60.
To illustrate a diversity of project scenarios we have evaluated a range of project sizes varying from 2000 to 100,000 code files.
For each project size we have calculated the overall cost of open source licensing compliance using the following approaches:
- Do Nothing.
- Post-development, pre-release licensing compliance assessment and correction.
- Real-time automated desktop scanning with final licensing compliance assurance at the build stage.
Figure 1 displays the estimated cost and savings associated with the three license management approaches described above.