The new service has the same features as the productized ProtexIP—visibility into the origin of software that highlights potential license and IP (intellectual property) conflicts, and license-management and registry services that help identify software that has used the best available technology in implementing software compliance-management practices—but allows organizations to use and pay for those functions only when needed, said Douglas A. Levin, CEO of Waltham, Mass.-based Black Duck Software Inc.
Selling ProtexIP as a service makes a great deal of sense, especially for companies that would use it only infrequently or cant afford the cost of purchasing the entire product suite, said Amy Wohl, president of Wohl Associates, a consulting firm based in Narbeth, Pa.
"A small ISV might only want to use it when they get a new version ready for market and want to make sure they dont have any code in there of an unknown source, but spending the money to buy a copy of Black Duck might be prohibitive for them. This might be a more reasonable solution," she said.
Another case where the service model might make sense would be when one company is thinking of acquiring another.
"You want to make sure that their software, which is a considerable part of their asset value, wont turn out to be a liability rather than an asset," Wohl said. "You could check it to make sure its all actually owned by the company, and youd just want to run [ProtexIP] once to do that."
ProtexIP/OnDemand uses Black Ducks digital Code Print technology and open-source knowledge base to recognize when code from a growing list—currently in the thousands—of open-source programs has been inserted into a users source code. The service can identify the license associated with the inserted code and point out potential conflicts between that license and other relevant license restrictions or business policies, Levin said. The system then develops a list of issues for review by the organizations legal experts.
To handle the analysis of code to validate its origins—typically a time-consuming but critical process— users might activate ProtexIP/OnDemands online service that automates the process, providing fast results.
Validating code has become an even bigger issue in the past few years, thanks to the legions of software engineers who now download software from the Internet, making this function particularly useful.
"When companies used to acquire software, there was an approval process in place based on the cost of the software, so somebody always had to sign off on the expenditure," Wohl said. "But today developers are downloading free software off of the Internet, and there is no system yet that has the kind of control that the money-driven system had in the past. This is a way of checking out all of the software youve acquired thats being used in your company."