Effective Open Source Software Adoption for Compliance with Legal Obligations

    • This includes the adequate education of personnel involved. Corporate IP policies must be based on the organizations’ business goals and they should be clear and enforceable. They need to show the acceptable licenses, the approved vendors, what is restricted, and what should be done if unknown or unacceptable code is being brought into the organization’s software.
    • The availability of a central code library, which includes the legacy code in the organization, together with an automated process for ascertaining the pedigree of all components to ensure compliance to all legal obligations.
    • The processes and tools for ascertaining the legal obligations and managing the IP of software created and/or acquired in the organization.
    • The customer assurance and support concerning the quality and IP cleanliness of software provided.

The best results are obtained when record keeping and IP management are treated as integral parts of the software development and quality assurance process:


    • The establishment and enforcement of an organization software IP policy commensurate with the corporate business goals. Large organizations may choose to establish IP policies appropriate for each class of project (software) they are undertaking.
    • The creation of a central (legacy) code library for the enterprise (organization) and its subsequent analysis for the establishment of an associated pedigree database, which should capture the provenance and legal obligations associated with each code component in the enterprise (organization) code portfolio.
    • The intellectual property audit and interpretation of the existing software status with adequate follow-up actions to remedy any policy violations.
    • The enforcement of IP cleanliness assurance for any software acquired from outsourced development partners.
    • The real-time gathering of software records for all new source code created or brought into the organization by its developers.
    • Preventive analysis of each new software component to ensure that it meets the corporate IP policy.
    • Alerting developers if code brought into the project does not meet corporate IP policy, together with instructions on what to do in order to alleviate the situation in real-time.
    • The completion of a software BoM which contains information on all components, including their origin, licensing obligations, supplier history, version, and all other pertinent information for proper life-time management.

Automatic Tools for Efficient Adoption of Open Source

Second generation automatic tools for record keeping and source code portfolio management have been made available recently to help companies lower development and legal costs, reduce time-to-market and lower business risks.

Using such tools makes it possible to implement a simple and efficient process for managed open source software adoption which would allow developers the freedom of selecting best solutions appropriate with the corporate policy. The main stages of such a process are:

  1. Central definition of an Intellectual Property (IP) and legal compliance policy acceptable to the organization project.
      • This stage is initiated by development/business manager together with legal counsel and captured by the appropriate tool for software IP analysis.
      • This stage also captures the mandated workflow in case of detection of policy violations in the course of subsequent code analyses and software development activities.
      • More advanced tools enable the definition of several IP policies to suit specific projects.
  2. Legal compliance analysis of legacy code or of code acquired from suppliers or subcontractors.
      • A software IP analyzer is used at this stage to map the software content and determine the pedigree of each software component – be it open source, internal proprietary or commercial. Usually, the analysis is done by comparing code characteristics (signatures) with huge databases that contain the signatures of publicly available and some proprietary software libraries.
      • A pedigree database of analyzed code is established for further reference.
        • A report detailing the composition of the analyzed

        About the author

        AgileConnection is a TechWell community.

        Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.