News Stay informed about the latest enterprise technology news and product updates.

Expert: Be smart about mitigating open-source IP risks

Black Duck Software Inc. CEO Doug Levin had probably heard more software licensing and copyright infringement horror stories than anyone before unveiling his startup company and its first product in January, 2004. He surely holds that record now. Those stories convinced Levin to found Waltham, Mass.-based Black Duck Software on the foundation of a new software license validation, management and auditing solution called Enterprise Edition. After the launch, he's heard tales of licensing legal woes from many more IT pros. Also, he's heard from companies that want to use open source software but are worried about the intellectual property risks. In this interview, he sums up those stories and reveals the ways companies are dealing with this issue.

You've talked a lot about software development companies. Why would mainstream businesses benefit by greater oversight of their in-house development processes?
Software development that occurs in mainstream businesses -- like global 2000 and even local 200 companies -- is not all together that different than the software development in software or hardware vendors' companies. The differences are mostly related to scale, sales and distribution.

Large and small corporations do in-house software development. For them, the intelligent use of open source can reduce the amount of time needed and lower the costs of developing applications. Oftentimes, they'll even get a better quality of code by using open source software because there is a community contributing to that code.

Also, open source software offers some very specialized solutions that companies can use to good advantage. Oftentimes, corporations can use open source software to significantly improve the software that is on their shelves, so to speak, and in their own repositories. Open source software can add more functionality, more features and improve features of legacy software. There are many different possibilities with open source software for global 2,000 and small companies.

When you are utilizing open source software, you are -- in effect -- getting the time, energy and skills of other software developers without having to pay for it.

FEEDBACK: Does your enterprise have an open-source review board? Or is it considering establishing one?
Send your feedback to the news team.

For [enterprises], the intelligent use of open source can reduce the amount of time needed and lower the costs of developing applications.
Doug Levin
CEOBlack Duck Software Inc.
Would instituting this level of oversight be costly and time-consuming enough to perhaps negate some of the flexibility and cost advantages of using open source?
No, not at all. Companies with software development teams who have put these things in place have reduced costs. You have to think of the cost of those missed shipping deadlines.

This is not a substantial change in the way developers develop. There's just a little bit of extra work in doing more documentation and communication. On the management level, the managers have to be educated and trained to ask developers the right questions, like: "Are you using open source software? Is it justified? Can we properly license it?" If managers ask those leading questions and developers are educated about the use of open source software, the benefits are significant. For one thing, there is functional code, which is free, that's sitting up in open source repositories. Using it can result in faster time to market at lower costs. That's one of the biggest objectives and benefits of using open source. How closely can a review board examine a product?
What they aren't able to do is a line-by-line code review. That's one of the needs we saw when creating our company. Black Duck can automate line-by-line code reviews and other processes and work in conjunction with a review board. In the absence of a review board, Black Duck can work in conjunction with development teams and attorneys. How are companies grappling with this problem?
Probably the best way to deal with it is putting in place open source review boards, consisting of a heterogeneous mix of people. Some companies are putting in a board that includes system and development managers, developers, attorneys, business affairs and financial officers. The open source review boards meet regularly to review the processes that are in place and the projects that are under way. By reviewing these projects, they avoid the 11th hour, 59th minute problem. So, a company has an open source review board and uses review automation software and services. What else should it be doing to protect itself from copyright violation claims?
It is also necessary to educate executives and people involved in management. Specific education for developers is also needed. They all need to know how to legally use open source software, what the processes are. People need to just be sensitized to the use of open source software and the proper licensing of it. They need to understand the resources that they have available to support the use of open source. Most importantly, companies have to facilitate conversations between developers and attorneys. Before and after founding Black Duck Software, you talked to many companies that have had problems with licensing and copyright infringement issues. Is there a recurring theme in these conversations?
Most of the horror stories that I have heard about are connected to 11th-hour or 59th-minute type of decisions about using open source software. I have just lost track of the number of companies where a product manager and or development team will come to the general counsel at the 59th minute and sometimes at the 59th second and say: "OK, we have completed the coding. Everything is all right, and we want to ship the product."

Then the company's attorney asks: "Are you using any open source software, and -- if you are -- is it properly licensed? Have you properly attributed it, and have you paid any related fees?" Too often, the answer to the attorney's questions is: "Yes, we used it. No, it's not licensed." So, the general counsel feels this great pressure to permit the release of the software, even though it is not properly documented.

Often, companies will miss their ship dates because they haven't adequately planned.

During the software development and release processes, there can be accidental, or not accidental, license violations.
Doug Levin
Why is this scenario so common?
Many ISVs and mainstream businesses don't have processes in place to make sure that developers are properly licensing and assigning licenses to the software. During the software development and release processes, there can be accidental, or not accidental, license violations.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.