BANGALORE, INDIA: Todays' complex software projects consist of many third-party components including those supplied by contractors or outsourcers, open source software, and software that is acquired commercially or as part of an acquisition.

These different software components have specific attributes and are framed by usage or distribution obligations such as licensing, copyright, and exportation requirements. Third party software license management is part of an overall software quality development process.

Like all other quality tasks, third-party software adoption can be managed at different stages of a software lifecycle process.

A study of the prevailing best practices in an Open Source Software Adoption Process includes the following 8 steps.

Establishing a Software Licensing Policy - this step involves creating a license compliance policy acceptable to the organization. The policy addresses questions such as what license terms are acceptable, what vendors are approved, and what software products or packages are authorized for use.

Software Package Pre-Approval - this step defines and implements the procedures that determine approved software packages in an organization. Software Package Pre-Approval process involves the following steps:

a. First a developer must request a specific package to be authorized. The request contains as much information about the package as possible such as its name, authors, license, pointers to where additional information can be found or package could be obtained.

b. Next the request is logged into a database where its approval status can be tacked. After a request is logged an examiner will audit the requested package.

c. Finally the request is either rejected or approved. If approved the package is then available to the organization.

Existing Portfolio Assessment - this step involves auditing the existing portfolio and establishing a baseline of what already exists in the organization.

Incoming Third Party Software Assessment - this step involves a software licensing audit of any package that is brought into the organization. Third party software could be the content delivered by outsourcers or contractors, software that is brought in for evaluation, purchased from a vendor, or an open source package.

Scheduled Software Scans - this step could be bypassed if automated library check-in or real-time preventive assessment steps as described in steps 6 and 7 are practiced. Regular software audits are best carried out on pre-determined intervals, eg weekly or monthly.

Real-Time Library Check-in Assessment - this step ensures that any content committed to the organization’s Source Control Management system is well understood from a licensing obligations viewpoint. Library check in-assessment provides near-real-time visibility of the content that could find its way into company’s products. Deviations from established organizational policies that are detected and remedied at this stage would reduce the time, and cost, of remedial actions further down the road. Deviations from organization policies should be automatically flagged to the person checking the content into the library then be examined.

Real-Time Assessment - this step is valuable because it ensures licensing compliance right at the developer workstation. This procedure is only possible if done automatically and carried out in the background without disrupting development. During the course of development, a developer may access content from a web site, download a whole package from an open source forge, or bring in content already accessed from a storage medium (such as a USB stick). 

Automated tools can be integrated within the developer workstation to detect new software files and analyze them in the background. Linked into the captured organizational licensing policy and a database of pre-approved packages, it can instantly alert the developer of any potential violations immediately.

Pre-shipment Software Assessment - this step ensures there is a full understanding of the content and obligations associated with the product before it is released to the market. A final license list, together with a list of all license obligations depending on the way the packages are used, completes the release checklist. Any license incompatibilities will be clearly highlighted at this stage. Obviously, if the earlier steps have been exercised, there will be no surprises at this stage, since all code that is consumed in the final build is already analyzed and complies with the organization’s policies.

Implementing an Open Source Software Adoption Policy will ensure that unwanted third party code is detected and recorded as part of a quality software development lifecycle. Like all other quality management aspects, detecting non-compliant code early in development and recording or fixing the deficiency minimizes the effort and project delays. Automated tools minimize detection and management of third-party components and their licensing obligations.

(The author is CEO of Protecode, Inc. )
(The views expressed in this article are that of the author and do not necessarily reflect the views or policies of CIOL)