Ralph Priester is director of intellectual capital, configuration management, and third-party compliance at Halliburton's Landmark Graphics.
Every business needs to focus on cutting costs, improving time to market, reducing risk, and increasing innovation. Open source software is a powerful tool to achieve these goals -- as long as you manage its use. Unfortunately, many development groups don't know what code sources they have in their codebases, which opens the door to compliance and security issues.
With these risks in mind, Halliburton Landmark instituted manual processes to track code sources and identify open source within DecisionSpace, our core product for the oil and gas industry. However, the time and staffing resources needed to do this significantly hindered our development life cycle. Manual processes are also prone to human error. We needed an automated way to track baseline code sources that would let us more efficiently manage compliance, minimize error, and proactively use open source in development. Luckily, there are a number of vendors that provide this kind of support, including Black Duck, OpenLogic, Palamida, and Protecode.
We opted for Black Duck Suite, with its database that automatically scans code to check licenses. In addition to heading off potential IP and license issues, Black Duck lets us identify third-party encryption algorithms that require a filing with the Department of Commerce if the code is exported from the United States.
Black Duck has automated the process of tracking and scanning our code base, analyzing approximately 325 million lines of code in 12 months -- a process that would have taken more than five years if done manually.
This approach is crucial for the Agile developing we do at Landmark. Automated scanning lets Agile teams identify licensing and compliance issues up front and correct them before they become embedded. Nothing slows the Agile process more than having to backtrack to solve a licensing problem. Programming teams at Landmark also use automated scanning to scan existing open source code for compliance and reuse.