How to Assure Legal Compliance from Software Development to Delivery

 
 
By S. Cohn-Sfetcu and K. Hassin  |  Posted 2010-01-18
 
 
 

How to Assure Legal Compliance from Software Development to Delivery


In the age of open-source and large-scale outsourcing, both assuring the quality of software and taking it to market means ascertaining its legal compliance as well. In recent years, numerous legal cases have highlighted the business risks and the enormous costs incurred when this is not done properly. These costs stem from involvement in judicial procedures, software recalls, fixing legal compliance issues post-release, and missed market opportunities caused by delays in the development process. Other consequences include lowered valuations in due diligence processes triggered by customers, potential or existing investors, mergers and acquisitions, and other major transactions.

Software is a pervasive element in most products and processes, and its sources have multiplied over time. Sources now include internal developments, suppliers of subsystems and chips, outsourced development contractors, open-source repositories and the previous work of the developers themselves. Software, unlike hardware, is easily accessed, replicated, copied and re-used.

Open-source software has become a significant player in most software development life cycles, thanks to the wide availability of source code, its apparent free cost, and its high degree of stability and security. Open-source code is generally free on the surface but it's not without obligations. It comes laden with licensing and copyright conditions which are enforceable by law-sometimes with dire effects for users who are not careful to validate the pedigree of the code in their products (for example, the origin and any associated obligations of all software components).

This doesn't mean that leveraging outsourcing and/or open-source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It's paramount that industrial managers validate the intellectual property (IP) cleanliness of their products and services, and ascertain that they meet all legal obligations before they reach the market.

Principal Aspects of Legal Compliance


Principal aspects of legal compliance

Assuring compliance to legal obligations implies the following three major aspects:

1. Definition of a corporate (or specific project) IP policy which must be met by all associated products and services.

2. The auditing of software to determine all implied legal obligations as per associated IP policy.

3. The necessary fixes, legal or development-intensive, such that all software components meet said IP policy.

The IP policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality assurance departments.

Auditing software for legal compliance is a process that is traditionally only begun just before major commercial or financial events. It's a complex process involving preparation, document review, management conferences, designer conferences, analysis, legal consulting and reporting. The process is time-consuming and expensive, as it consumes valuable engineering, management and legal resources. Even then, in most cases, the results have been inaccurate, as there are usually insufficient records on what is actually in the software. As these problems continue to emerge, automated tools for auditing the software composition and determining legal obligations have become an attractive option.

The "fixes" necessary to make the software legally compliant as per IP policy can be complex. Some software components may have to be replaced entirely due to IP infringement. This can be expensive, as new software components have to be found and the overall software needs to be retested. In other cases, it may be sufficient to formalize the assumptions of obligations as demanded by license or copyrights.

Legal Compliance Assurance in Development Process


Legal compliance assurance in development process

Mitigating business risks associated with software legal compliance is best addressed by building legal considerations into the development process itself. The following options address compliance measures at different points in the development process. Some of the options listed, such as periodic and real-time assessment, can be used in combination for best results.

Option No. 1: Ignore

Deciding to ignore the compliance issue carries the lowest up-front cost but bears the highest risks.

Option No. 2: Preventative: Developer training and project planning

Some companies (especially small and midsize businesses) consider proper training and project planning sufficient in normal situations, accepting to undertake an audit during imposed due diligence efforts. Naturally, the more the developers are trained on matters of software legal compliance issues, the more effective the development process. However, this is a rather expensive proposition given the explosive growth in the number of distinct software licenses, the high cost of developer training, and the constant churn within the development environment. With this option, compliance rests solely on developers and any assurances are their responsibility.

Option No. 3: Post-development

Taking action later in the project life cycle can take the form of external or internal auditing, and impacts the final stages of testing as well as the quality assurance process. This option can bear higher costs due to professional services, the cost of any necessary changes to the software after the fact, subsequent retesting and re-auditing. This option gets results, does not impact development workflow, and can be rendered more cost-effective with software tools designed for this purpose. It can, however, prolong the project life cycle near the end, resulting in delays to the delivery of the final product that are hard to predict.

Option No. 4: Periodic

Periodic auditing of software during development involves course corrections along the way if any policy violations are detected. This can be done with automatic tools. It's also less expensive than waiting until after the development process thanks to the shorter delays in getting the fixes done and retested.

Option No. 5: Real-time

The most proactive measure for software compliance assurance is to detect license violations immediately at the developer workstation in real time. This way, the development process is not disturbed. Plus, the cost of corrections is minimized, as any necessary corrections (which might include justification of selection, code changes or replacement) are done on-the-spot. Any necessary corrections can also be done without involvement of other resources and without the need for retesting. This process can be automated via software tools in ways that are unobtrusive, easy to adopt and, most importantly, do not require developer training in matters of legal compliance.

Detecting possible violations in real time is the most cost-efficient and lowest risk option in the long term. The later in the software life cycle such fixes are affected, the more expensive they become. If the legal compliance issues are discovered during the development process, the fixes become less onerous and the business risks are reduced.

Legal Compliance in Product Life Cycle


Legal compliance in software product life cycle

From a business and product management perspective, legal compliance goes beyond the development process. It needs to be dealt with at project conception and from a customer standpoint. The critical elements of effective software IP management in an organization are:

1. The existence of an IP policy for each project undertaken, and a process to disseminate and apply it. Corporate IP policies must be based on the organization's business goals, and they should be clear and enforceable.

2. Processes and tools for ascertaining the legal obligations and managing the IP of software created and/or acquired in the organization.

3. A Software Bill of Materials (BOM) that fully records the components in the product, their provenance and the licensing obligations they entail. An adequate BOM is instrumental in determining the legal compliance of the software.

4. Assurance and support for customers concerning the quality and IP cleanliness of software provided.

These elements provide a basis for meeting legal compliance with respect to the life cycle of the software product from conception to delivery.

Software IP management

With respect to the tools available, modern software IP management applications simplify and enable safe open source adoption, giving developers the freedom to select the best solutions in accordance with the corporate IP policy. For instance, these tools can support pedigree analysis and IP policy violation detection automatically-on demand, on schedule or even in real time within the development process. They can also provide a BOM on demand. Taken together, these IP management features deliver higher value and provide customer assurances.

The critical factors driving the economics of software IP management are the efforts to fix the software IP issues and minimize the associated delays in product introduction to market. Because of this, everything should be done to ensure its legal compliance throughout its life cycle for maximized cost efficiencies and minimized risk. As companies continue to leverage third-party code during the software development process, legal compliance issues become increasingly integral to business priorities. 

Sorin Cohn-Sfetcu is involved in Marketing at Protecode. Sorin brings over 30 years of entrepreneurial involvement in technology and business management in multinational (Nortel) and small companies, with a significant portfolio of market successes, innovative products and publications. Sorin holds several patents in Web services, wireless, and digital signal processing. Sorin has a Ph.D. from McMaster University, a Masters of Science degree from University of Calgary, and a Masters of Engineering degree from Polytechnic Institute of Bucharest. He can be reached at scohn@protecode.com.

Kamal Hassin is responsible for product portfolio capabilities at Protecode. Kamal is a thought leader in the area of open-source licensing. Kamal is the author or co-author of a number of papers on Software Intellectual Property management. Kamal has a Bachelor of Engineering degree and a Masters degree in Technology Innovation Management from Carleton University. He can be reached at khassin@protecode.com.

Rocket Fuel