An Operationalized Management Library
You need a management library, and a system that checks everything and automatically takes action when an infraction is found. And you need to have ownership policies that are the condition of employment, so you can keep track of what gets made inside the organization before developers leave. There are four steps involved in setting this up.
Step No. 1: First, you set up a management library that tracks all versioning. This part isn't new. Go back 30 years and these tools-Concurrent Versioning System, Clear Case by IBM, Terforce-all managed the code library. CV is free-so is SofVersion by Collabnet. It must be a managed library system so that all code resides within the library. Developers must check out any code from the library, and after they make changes, they simply check it back in. The system automatically does version control, history and changes. This is especially important if there are two people on a project who are changing code. This system could consolidate versions.
Step No. 2: Second, make sure you incorporate a bug management system such as Mantis or BugZilla.
Step No. 3: Third, integrate the management library into the network. The whole due diligence system must be based on the proposition that external content management is part of your quality management.
Step No. 4: Fourth, and here's the hard part: You must check all the code against company policy and have an automated system that takes action when there's a violation. The management libraries do not do this. Up to now it's been a manual, after-the-fact process. Ideally, make it part of the development. Have a solution that detects all code as it comes into the organization. It doesn't matter if that code is cut and pasted from the Web or whether developers bring it in on a memory stick from home. Create a system that identifies and checks-in real time-who brought in the code, where and when. It must recognize the IP attributes, log them, and identify the copyright and license data. It must also check them against policies you establish and then take the appropriate action if it detects a violation.
Yes, this is time-consuming to set up, but it must be thought of as part of the product quality process at the operational level. If you do all this and someone sues you, you can bet that the judge will look a lot more kindly upon your company if you've gone to this measure.
One of the best side effects of such a system is that someone is always responsible for any action taken. For instance, if there's a violation, maybe the system sends off an alert e-mail to Legal. Or you program it to pop up a dialogue box on the developer's computer so he can comment: "I only used that illegal code for testing. I will take it out." The developer is alerted and reminded to take responsibility.
That's it. Remember, don't talk yourself out of it because the industry dynamics in place now demand that it's part of the development process: Bidding software on the Web, unprecedented access to code, Google search, increased regulatory guidelines and governance-these factors have converged. An operationalized library system is not only a natural at this point, but it has a very interesting trajectory. Think of the ways it can apply to digital content-and it will.
Dr. Mahshad Koohgoli is co-founder and CEOof Ottawa-based Protecode. Mahshad is a serial entrepreneur, with more than 25 years of experience in the telecommunications industry. His specialty is in technology startup businesses, having successfully managed three companies from the ground up. A visionary who holds several patents in the computer and communications field, Mahshad's current mission is to bring safe software development practices to the tech world.
Previously, Mahshad was founder and CEOof Nimcat Networks (acquired by Avaya in 2005), as well as founder of Spacebridge Networks and Lantern Communications Canada. Prior to these ventures, Mahshad held various technical, marketing and senior roles at Newbridge Networks, BellNorthern Research and Nortel. Mahshad has a BSc and a Ph.D from the University of Sussex, England. He can be reached at firstname.lastname@example.org.