Monthly E-letter

Latest edition | Subscribe

Hybrid software development: Mixing open source with other code

Automation provides the best of both worlds: support for robust policies and procedures without overloading developers in bureaucracy.

By Eran Strod
May. 13th, 2009

The open source community has created thousands of software components that can be utilized in application and product development, including stacks, drivers, kernels, databases, application servers, report generators, internationalization toolkits, and more. The number of quality open source components is simply too numerous to summarize. Embedded developers can leverage these components to significantly reduce the amount of code they have to write from scratch. However, hybrid development – combining internal and external code like open source software – involves several issues that must be managed carefully.

Efficiently leveraging open source

Billions of lines of open source code are downloadable from code repositories on the Internet. This code is free but must be managed from a number of perspectives: Security, licensing, export regulations, version control, and more. Improperly managed open source code can result in bad publicity, copyright infringement, and even stop shipment orders, as well as difficulty supporting the product.

Consider a few notable examples of companies facing allegations that they did not adequately manage their use of open source code on their embedded platforms:

n Diebold was subject to an infringement lawsuit over using Linux in its voting machines without complying with the GNU General Public License (GPL).

n Google received bad PR during the launch of the Android mobile platform because of known security vulnerabilities.

n Cisco was sued by open source developers alleging that Linksys routers used open source software without entirely complying with open source license obligations.

n Skype was sued for violating the GPL in developing its VoIP phone.

n Verizon was sued over the software license for open source software used in its FiOS router.

Avoiding dysfunctional code

While code that works is considered functional, code that violates a companyís policies or breaks the law is considered dysfunctional. Working code can contain unknown license obligations, incur unplanned royalties, infringe on patents, violate laws on exporting cryptographic algorithms, and contain security vulnerabilities. Working code that harms the business is dysfunctional. Dysfunctional code must be discovered and fixed, but whose job is it?

Engineers are paid to write, test, and support code that is functional. They are not policy experts and should not be expected to serve as the internal authority making business decisions on the use of open source code. Therefore, the challenge is to foster collaboration within the organization without bogging down engineers in burdensome red tape. Many times, developers and policy makers such as the chief of security and legal counsel have difficulty getting on the same page. After all, their training and goals differ. However, managing dysfunctional code is truly not a problem that engineers can solve by themselves.

Companies need to establish processes and procedures that establish operating parameters for engineers. Organizations must manage open source code as a set of integrated business processes that bring together the many policy makers who have a stake in code compliance: legal, security, IT, engineering, product management, purchasing, and others.

One unattractive alternative is for the organization to deny developers the freedom to utilize open source code. Declaring the reuse of open source as off-limits is often not viable from a business perspective; it would be akin to making a rule that any off-the-shelf solution must be rejected in favor of sourcing all materials in-house. Nobody builds systems this way anymore. Doing so increases overhead and reduces a businessí agility at a time when other companies are likely using open source to gain a competitive edge.

Code management for hybrid development

Automation provides the best of both worlds: support for robust policies and procedures without overloading developers in bureaucracy. The first step in successfully automating code management is to establish a set of policies that can be used to govern code. This usually includes the following procedures:

n Inbound processes that control code entering the organization with a policy review process and a set of approvers. The review board can include legal, security, IT, engineering management, open source, purchasing, and compliance.

n Audit processes that discover unapproved code that has leaked into the organizationís code repositories.

n Tracking mechanisms to monitor where code is used and deployed.

n Maintenance processes that are often complementary to existing processes but also include touch points to external sources of information such as the National Vulnerability Database, which logs security vulnerabilities on behalf of the U.S. government and the global software industry.

n Outbound processes for publishing enhancements to open source code when required by open source code licenses.

From a tactical perspective, an automated system that supports a robust and flexible set of code management practices should include the following key elements:

n An online catalog where developers can internally publish approved components as well as encourage reuse and standardization. The catalog also tracks software component bills of materials, a fundamental capability for managing component-based hybrid development.

n A business process management engine that can implement a multi-user, multirole, multistage approval process based on configurable business rules. A system oriented toward collaboration also allows process participants to interact within an organized discussion forum.

n An analysis engine that will scan code and find issues such as unapproved code, components with vulnerabilities, and export restricted code. Many organizations use string search tools to find undocumented code, an approach that is limited to finding regular expressions or templates like license headers in text files. This technique is useful but falls short of tracking binary reuse, which is common among Java developers, or finding evidence of code that was casually cut and pasted without documentation. String search tools can also be easily fooled using file global search and replace capabilities in standard editors. A more effective approach is to build a database of open source code, security vulnerabilities, and export algorithms and apply exact and fuzzy matching technology.

n Action alerts for new security vulnerabilities that pertain to approved components.

Automation technology can streamline the necessary processes for successfully managing the proper integration of code from multiple sources. Documented procedures and training form the basis of a comprehensive approach, but the dynamic nature of software development necessitates an automated framework that provides checks and balances and establishes rules of engagement for engineers and other policy makers (see Figure 1).

Figure1
Figure 1: Developers can turn to automated solutions that enable enterprise collaboration and efficiently develop software that conforms to policies.

With automation, hybrid software development becomes faster and more cost effective, workflow is optimized, and security and policy integrity can be standardized enterprise-wide. Software development organizations can stretch budgets by aggressively taking advantage of existing open source software while more efficiently managing the unwanted risks and issues associated with mixing code from different sources.

Embedded platform developers can refocus on writing functional code without worrying about dysfunctional code, and companies can establish policies for finding and addressing issues early in the development cycle. Automating component management helps enterprises reduce business risks, complete software projects on time and on budget, maintain business plans, and prevent exposure to the potential liabilities of violating software licenses.

Managing the open source component life cycle

Black Duck Software produces an enterprise solution that enables development organizations to automate the processes that actively enforce code management policies. At the heart of these solutions is the Black Duck KnowledgeBase comprising billions of lines of open source code collected from nearly 4,000 Internet sites. The KnowledgeBase contains hundreds of thousands of open source components with associated information on each: component name/description, version, project license, language, repository URL, operating platform, known vulnerabilities, and more. The KnowledgeBase also contains thousands of cryptographic algorithms taken from open source and other publicly available projects. A dedicated team keeps this information as accurate and up-to-date as possible. Subscribers receive updates every few weeks so that they can operate with the latest possible information.

In addition to finding pertinent details on open source components, developers can use the KnowledgeBase to initiate a multiphase, multi-user approval process with the click of a button. Approved components are tracked in an online catalog, which establishes bills-of-materials for development projects. Daily security vulnerability alerts based on component and version are delivered to catalog users for vulnerabilities that appear in the National Vulnerability Database.

Enterprise users are also provided with a platform that compares their code base to all of the source and binary files in the Black Duck KnowledgeBase. Unexpected matches indicate the presence of unapproved code in the code base. Ideally, this analysis is performed as part of an organizationís regular build process so that issues are caught and remediated early. With objective information about the origin of code, administrators can more easily discover license issues and other policy violations. The KnowledgeBase contains more than 1,400 software licenses classified according to legal parameters. This enables the system to alert developers to potential software license conflicts in their source code.

Users can also analyze their code for cryptographic information they may not have known existed in their code base. This is critical for code compliance, as strong encryption is needed for applications operating on ìcrown jewelsî data and certain governments regulate which algorithms may be exported outside the country.

Eran Strod is director of product marketing for Black Duck Software, based in Waltham, Massachusetts, and helps manage the code search Internet site Koders.com. He has held various engineering and product marketing roles at Motorola, Freescale Semiconductor, CSPI, and Data General. Before joining Black Duck, Eran was director of product marketing at Mercury Computer Systems and served on the board of directors at VITA when ex ante patent disclosure provisions were formulated and adopted. Eran has also served as chair of the strategic marketing committee for the RapidIO Trade Association. He holds a dual BA in Computer Science and Psychology from UC Santa Cruz and graduated from the Northeastern University High-Technology MBA program.

Black Duck Software
781-810-1816
estrod@blackducksoftware.com
www.blackducksoftware.com

Home > Uncategorized > Eran Strod

Share this page (with a note):

This entry was posted on Wednesday, May 13th, 2009 at 1:07 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Silicon, software, and strategies for embedded devices
©MMX Embedded Computing Design.
An OpenSystems Media publication.