Mahshad Koohgoli is the CEO of Protecode. He has more than 25 years of experience in the telecommunications industry and specializes in technology start-up businesses. Mahshad has a BSc and a PhD from the University of Sussex, England. Sorin Cohn-Sfetcu has 30 years of international business and technology experience. He holds several patents in Web services, wireless, and digital signal processing. They can be contacted at Koohgoli@protecode.com and email@example.com, respectively.
In the age of open source and large scale outsourcing, assuring the quality of software must comprise ascertaining its legal compliance as well. Numerous legal cases in recent years have highlighted the business risks and the enormous costs incurred when this is not done properly. The costs may come from involvement in judicial procedures, withdrawing of software from the field, fixing legal compliance issues post-release, delays in the development process and lost time-in-the-market, or undervalued corporate assessment at an investment event or in a merger or acquisition.
Software is a pervasive element in most products and processes nowadays. It comes from internal developments, from suppliers of sub-systems and chips, from outsourced development contractors, from open source repositories or simply from the previous work of the developers themselves. Software, unlike hardware, is easily replicable, accesses, copied and re-used.
Open source software has become a significant player in most software development, thanks to the wealth of source code available, its apparently free cost and its high degree of stability and security. Open source code is generally cost free. But it is not without obligations, as it comes laden with licensing and copyright conditions which are enforceable by law -- sometimes with dire effects for the hapless users who are not careful to validate the pedigree of the code in their products; i.e. the provenance and the associated obligations of all software components.
This does not mean that outsourcing or the use of open source software is to be avoided. The issue is not with the use of open source, but with the unmanaged adoption and proper care to the copyright and licensing obligations it entails. It is paramount for industrial managers to validate the IP cleanliness of their products and services and ascertain that they meet all legal obligations before they reach the market.
Like most hardware products, software products need to have an associated Bill of Materials (BoM) that fully records the components in the product, their provenance and the licensing and copyright obligations each of them entail, making sure there are no incompatibilities or violations. An adequate software BoM is instrumental in determining the legal compliance of the software and provides the necessary assurance to customers. As such, it can minimize the cost of indemnification and other associated legal obligations.
Compliance to Legal Obligations
Assuring compliance to legal obligations implies the following major aspects:
- Definition of a corporate (or specific project) intellectual property (IP) policy which must be met by all associated products and services.
- The auditing of software to determine all implied legal obligations as per associated IP policy
- The necessary fixes -- legal or development intensive -- such that all software components meet said IP policy.
The IP Policy must be defined in accordance with the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality assurance departments.
The auditing of software for legal compliance has traditionally been done just in advance of a major commercial or financial event. It is a complex process: preparation, document review, management conferences, designer conferences, analysis, legal consulting and reporting. It is time consuming and expensive as it consumes valuable engineering, management and legal resources. And, in most cases, it is inaccurate as there usually are insufficient records on what is actually in the software. Nowadays, there are automatic tools for auditing the software composition and determining the legal obligations associated with each identified component.
The "fixes" necessary to make the software legally compliant as per IP policy can be quite complex as well. Some software components may have to be replaced as they violate IP policy. This can be very expensive, as new software components have to be found and the overall software needs to be re-tested. In other cases, it may be sufficient to formalize the assumptions of obligations as demanded by license or copyrights.
The later in the software lifecycle such fixes are affected, the more expensive they become. If the legal compliance issues were discovered during the development process, the fixes would be less onerous and the business risks reduced.