Managing open source licensing compliance

In the age of open source software, ascertaining legal compliance of software is just as important as assuring code quality before releasing it into production. Numerous legal cases have highlighted the potential business risks and costs when compliance is overlooked which can lead to lawsuits, injunctions, recalls and missed market opportunities. 

Open source software has become a significant component in many development projects due to its wide availability, low cost of usage and high degree of stability and security. Open source code is generally free in the sense there is no purchase price, but it comes laden with licensing and copyright conditions which are enforceable by law.

This doesn’t mean that leveraging open source software is to be avoided. On the contrary, it is a significant source of development productivity. The issue is not with the use of open source, but rather the requirement to ensure that associated licensing obligations are accommodated prior to shipping products containing open source. Consequently, it is important that software development organization using open source employ a licence compliance process as part of its overall product quality assurance in order to avoid post-release legal consequences.

Principle Aspects of License Management

A complete approach to assuring open source license compliance will generally include three major aspects: definition of a corporate or project-specific intellectual property policy which must be met by all products and services; auditing of all project software to detect any third-party source code, including open source, that is unacceptable based on the IP policy; and corrective processes to ensure that all released software conform to the IP policy.
The creation of the IP policy is an important step as it forms the basis upon which decisions regarding acceptance of open source software will be made. The IP policy should be defined in accordance with both the business goals of the organization as well as its engineering processes, and generally requires the involvement of business and engineering managers, as well as legal counsel. The policy should be clear and understandable by software developers and quality assurance staff so that effective processes can be implemented to ensure policy compliance.

Software auditing is required to ensure production code conforms to the IP policy although the audit implementation can take a number of forms depending on the preference of the development organization. Audits can range from ad hoc developer training and post-development cycle auditing to more pro-active tool-based approaches such as periodic and real time auditing. 

Developer Training
Some companies, especially small and mid-sized, consider that proper developer training and project planning is sufficient. This, however, tends to be an expensive labor-intensive option given the increasing diversity and number of software licenses to be aware of, the high cost of developer training, and the constant churn within the development environment. With this option, compliance rests solely on busy developers and is prone to human error.
Post-Development Audits

Auditing late in the project lifecycle has the advantage that it does not impact the development workflow and can be implemented manually or using automated software tools designed for this purpose. This option does, however, lead to more expensive rework due to the full system retesting that will be required.

Periodic Audits

Periodic auditing of software during development can be done with automated tools and is less expensive than waiting until after the development process is finished, therefore results in shorter delays for changing and retesting than a post-development audit.

Real-time Auditing

The most pro-active approach is to audit software in real time at the developer workstation for compliance with the IP policy. The development process is not disturbed and the cost of corrections is minimal as there is no impact to system integration and testing. This process can be automated and generally requires very little developer training.
Regardless of the type of auditing approach that is selected, the overall goal is to minimize the time and cost of correcting the final software release so that it meets all functional, quality and licence compliance requirements. Each organization must consider their approach, balancing the short term cost of developer training and tools versus the potential longer term cost of post-release legal problems. 

As companies leverage third-party code to achieve greater productivity gains, licence obligations left unmanaged become an increasing liability. For this reason, legal compliance of software licensing is rapidly taking a place alongside other business imperatives such as regulatory compliance as maturing organizations seek to maximize productivity while minimizing risk.

Kamal Hassin is director of R&D and product management at Protecode Inc. and the author or co-author of a number of papers on software intellectual property management. He can be reached at

Related Download
EMC Data Protection For VMWare-Winning In The Real World Sponsor: EMC
EMC Data Protection For VMWare-Winning In The Real World
Download this white paper for a deep dive analysis based on truly real world comparison of EMC data protection vs. Veritas NetBackup for VMware backup and recovery.
Register Now