Skip to main content

Ensuring Responsible Open Source Use with Software Audits

By January 14, 2013Article

In order to keep up with customer demand and maximize quality, organizations today rely increasingly on code re-use. Developers do not want to reinvent the wheel with each new product they work on, but luckily a plethora of freely available open-source code is available to solve most of their problems. They can also take code from past projects and organizations they have worked on and integrate it into new products. The use of outsourcing and contractors (who are also using open source) is another common way to speed up development while reducing costs.  These are all legitimate, and encouraged, ways to streamline development; but combine them, and it can be difficult to tell where all of your code comes from and how much of it you actually own.
The problem of IP uncertainty 
All open-source code that is available free of charge on the Internet has a license attached to it that users must comply with. This can include anything from giving credit to the original author and making the original license available to having to make your source code publicly available.  Some open-source license obligations (for example, releasing the source code to the public) may not be a good fit with the organization’s business model.
Any time a software product changes hands it is imperative to understand the code’s pedigree and ensure any open-source or third-party licenses meet compliance. Example of a software transaction can include:

  • Mergers and acquisitions (M&A) between organizations that produce software
  • Technology transfer between both academic and commercial organizations
  • Release of a product into the market
  • Release of software that is part of a supply chain

Any uncertainties around intellectual property (IP) can derail M&A and tech transfer activities, delay product shipments, lower a company’s valuation and reduce the ability to create partnerships.
Ensuring clean IP before a software transaction, or ideally as early as possible in the development cycle, can reduce the time and cost required to correct any compliance issues that arise.

Image 1

Security is another issue tied to the use of open-source and third-party code. A number of public databases, such as the U.S. National Vulnerability Database (NVD) or Carnegie Mellon University’s Computer Emergency Response Team (CERT) database, list known vulnerabilities associated with a large number of software packages.
Although in general open-source software (OSS) is no less secure than proprietary software, without an accurate knowledge of what exists in the code base it is impossible to consult these databases in the first place.
Uncovering problematic code
Once an organization has a process in place to ensure OSS use is regulated, risks around IP uncertainties decrease dramatically. If a project is small enough, a manual code audit may be an option. However, this requires a high degree of licensing knowledge and a lot of time — many organizations lack the resources for a manual audit.
Organizations can also use automated tools to scan their software internally. While this requires much less legal knowledge, there is an initial on-boarding phase that some organizations may not have time for in the case of an urgent software transaction.
External audits are often the fastest way to ensure IP cleanliness. External audits combine open-source licensing experts with automated code scanning tools to produce accurate results and quick turnaround. Once an NDA is in place, the audit begins with a question-and-answer session to better understand the development environment.
The results of the audit are compiled into a final report containing a high-level view of all open-source and third-party content and attributes associated with it. The audit report describes the software code audit environment, the process used, and the major findings, drawing attention to specific software packages, or even software files and their associated copyrights and licenses.
The audit report will highlight third-party code snippets that were copied into proprietary files and the effect these snippets can have on the distribution or the commercial model. Information on commercial or OSS components including a description of what each piece of software does, who created it and related references to project websites is provided. The text of all licenses that are discovered is also included with this report.
Conclusion
Open source is becoming necessary to remain innovative and competitive in today’s technology market. A deep understanding of all components within a code base allows organizations to responsibly integrate open source into their projects while reducing any risks associated with IP uncertainty.
It is a good idea to analyze your code base on a regular basis; but at the very least, code should be analyzed before any software transaction takes place. Open-source components can be manually detected by internal staff, but external audits by a third party reduce costs, time and resources associated with an audit.
Lacey Thoms is marketing specialist and blogger at Protecode, provider of open source license management solutions. During her time at Protecode Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising and web design and development.   Follow @Protecode on Twitter.