Managing software license obligations throughout the Software Development Life Cycle

4While manual methods of record keeping and code examination can provide a high-level view of third-party content in a code portfolio, increasingly automated solutions are deployed in various stages of a Software Development Life Cycle (SDLC). Ideally, an approach that seamlessly overlays an automated open-source content management process on top of an organization’s existing SDLC would ensure that open-source software is adopted within that organization. As more and more development is moved into a cloud environment, appropriate software development tools and open-source license management solutions operating in the cloud are becoming an invaluable part of modern Agile development.

Software Development Life Cycle (SDLC) models are not new; they have been around for decades dating back to the early days of software projects. The SDLC involves processes, models, and techniques that are deployed in the creation of software solutions and is based on people, tools, and methodologies that administer the requirements evaluation and definition, design, testing, delivery, and maintenance of software solutions. Managing the overall life-cycle process (also known as governance) is the key to delivering quality products in a timely and cost-effective manner.

However, ever-increasing demands for faster development cycles and shorter release intervals, especially in mobile devices and the consumer embedded market, have made traditional SDLC techniques heavy-handed, bothersome, and in many cases, a hindrance to competitive market participation. Agile methodologies – software development based on iterative and incremental development, where requirements and solutions evolve through collaboration between cross-functional teams – are gaining acceptance in software development organizations. More and more, Agile methodologies are being used in embedded software development for high-tech, high-volume consumer devices and intelligent mobile products. In a way, Agile methods borrow from Just In Time (JIT) concepts, driving development and production efficiencies without compromising quality. These Agile methodologies in SDLCs also require corresponding tools to govern the stages of requirements definition, design, coding and testing, and release processes.

Open-source software and license management

Open-source software has become a significant player in most software development thanks to the wide availability of source code, its apparent free cost, and its high degree of stability and security. Wide availability of source code is a significant enabler of development efficiencies, but also could be the catalyst for many quality and regulatory deficiencies. If adoption of open-source software is not managed properly, there could be ramifications in quality, security, and even legal aspects due to missed obligations associated with licensing, copyrights, or export control regulations.

Open-source license management is the cornerstone of a risk management strategy appropriate to the sophistication, scale, and critical role of a targeted software market. Like any other quality management process, open-source license management can be integrated and applied at various stages in a development life cycle. Similarly, the earlier this process is applied, the sooner deficiencies are detected and the lower the effort and cost associated with fixing those impairments (see Figure 1).

Figure 1: The cost of correcting software deficiencies has a direct correlation to the stage of the development life cycle in which it is detected.
(Click graphic to zoom by 1.9x)

Therefore, the best practices in managing open-source adoption are typically consolidated into a series of necessary and optional steps that could be fully automated and integrated with existing development tools within a technology organization. These Open-Source Software Adoption Processes (OSSAPs) work best when spread over all stages of an SDLC and can be implemented to detect the presence of software components whose attributes such as license terms or security attributes violate a project’s open-source policies.

Implementing OSSAP

An open-source policy that is communicated and shared within an organization establishes confidence within the development community that the company understands and values the use of open source software, and that the organization is taking steps to maximize its benefits and minimize its risks. Because of its ability to be parlayed into an SDLC without replacing or hindering existing practices, OSSAP is fast becoming a standard part of an Agile software development methodology that meets the expectations of the development community without delaying time to market.

The first step of OSSAP is establishing policies around acceptable attributes such as licensing or pedigree of open-source packages, as well as measures in case violations are detected (see Figure 2). Representatives from engineering, business or product management, and legal, and sometimes procurement and contracting staff, are involved in drafting this policy.

Figure 2: OSSAP comprises eight critical steps that guide management and governance of open-source code throughout the SDLC.
(Click graphic to zoom)

Further steps include package pre-approval, analysis of the existing software portfolio and establishing a baseline, regular analysis, and approval of third-party code (as supplied by outsourcers or contractors, for example) or new code developed internally. OSSAP optionally includes real-time discovery and open-source content management as code is developed (right at the development workstation) or as new software is checked into the company’s project repository.

The final step in a structured open-source adoption process is the build analysis, where the final artifact is scanned for any unwanted content that could violate established open-source adoption policies. Manual analysis and implementation of OSSAP is time-consuming, but automated tools can speed and simplify implementation of a complete OSSAP policy within an organization.

Organizations are increasingly viewing IP and third-party software license management as part of their software quality development process and are evolving their existing quality checklists to include all or part of the blueprint depicted in Figure 2. Many software development tool suppliers are now providing their once-traditional solutions in the cloud. These include IBM’s Rational Host On-Demand, HP’s Fortify on Demand, Microsoft’s Windows Azure development platform services, and Oracle’s Java Cloud Service. Also available are GitHub for shared source control management, Atlassian’s JIRA for bug tracking, Confluence for collaboration, Cloud9 for all Integrated Development Environment (IDE)-in-the-cloud needs, and ProtecodeCloud for code scanning and open-source license management.

OSSAP’s steps to a secure life cycle

The best practices in open-source license management involve a life-cycle approach that includes policy-based, automated, and continuous license management as software is developed. Establishment of a structured OSSAP and a life-cycle approach ensures that any risks are addressed as early as possible to contain their impact and provides magnified due diligence in critical business transactions to provide the best possible assurance for positive business outcomes.

Mahshad Koohgoli is CEO of Protecode.