The cost model takes into account factors such as the extent of OS or other third party content in a product, the extent to which the content violates an organisation’s licensing policies, and the probability of detecting a violation after a product launch and the cost associated with fixing the problem.

The model discusses methods and readily-available tools for managing compliance as part of the software development quality process. Several scenarios with varying project complexity, organisation size, and introducing cost numbers for correcting licensing violations during development are considered, and the model discloses the effectiveness and the economies of automated software scanning and licensing compliance.

Ubiquitous software IP
Software is ubiquitous in devices and equipment, desktop applications and servers. It sources from internal developments, from suppliers of sub-systems and chips, outsourced development contractors, open source repositories or simply the previous work of the developers themselves.

Software is easily replicable, accessed, copied and re-used and any product that contains software can potentially be infringing on the Intellectual Property (IP) rights of a person or organisation that originally developed all or part of that software.

Consciously implementing measures for legal compliance in a software development quality process and incorporating aspects of effective software IP management into the organisation are crucial for any entity concerned with software development and delivery.

Proper licensing and copyright compliance, implemented as part of the normal QA process, can bring savings of up to 40% - 65%, compared to the potential costs of non-compliance. Even better, combining proper QA testing with preventive tools for software IP management right at the developer’s workstation can raise the level of savings to over 85%.

Open Source responsiblities
Open Source software has become a significant component of software development activities, intentionally and sometimes unintentionally, thanks to the wealth of available source code, its apparent free cost, and high degree of stability and security.

But while open source appears to be cost free, it is not without oblication and comes laden with licensing and copyright responsibility, enforceable by law. Lack of knowledge about these obligations and ignoring them can lead to dire consequences for technology firms, and some of the ensuing legal cases have been well documented.

This does not mean that outsourcing or open source usage should be avoided. The cause for concern is not with the use of open source, but with the unmanaged adoption of third party code and its accompanying copyright and licensing duties.

It is important for software organisations to establish appropriate IP policies that determine what specific open source licenses and license terms are acceptable for a specific product and business. Managers need to validate the IP cleanliness of their products and services to make sure all legal obligations are met before they go to market.


Third party software content and IP violation
Nowadays, it’s common to have software products consisting of thousands of software files (source code or binaries). Some of the components brought into the product may have license requirements and copyright obligations that are at variance with the corporate IP policy. For example a corporation may be legally compelled to release the source code for a commercial product, creating a serious loss in revenue for the company.

On the other hand, another scenario involves modification of a software file while the license specifically forbids any tampering with the code, resulting in legal action. Some of these violations are significant enough to warrant specific copyright compliance actions or software corrections, although determination of what is a significant legal violation is ultimately for a judge to decide; and getting in front of a judge is an expensive proposition.

External content in software could be as little as 10% or as high as 100% if the software is completely outsourced. For an illustration of this cost model, assume that only 45% of the software components are Open Source, or otherwise of external origin. In this scenario only 4% of all external content is in violation of the associated corporate IP policy.

If a licensing violation is detected after the software is released to the market, then costly post-release corrections are necessary. The model here allows for a range of non-compliance visibility in the market. Assuming that about 15% of the violations are some how detected and reported in the field or 85% of the IP policy violations remain unnoticed in the field and cause no problems (until they may be discovered, of course).
Software licensing compliance methods
Traditionally, assessing IP-cleanliness has been done manually, by relying on developer records, expert analysis of the final software, and due diligence processes.

The licensing and copyright assessment is mostly undertaken in advance of key financial transactions – investment, merger/acquisition, or impending product release. Manual assessments are prone to error, consume expert resources, take a long time and are increasingly expensive as the use of Open Source and outsourcing grows.

Mitigating business risks associated with software legal compliance is best addressed by adopting a process, including legal considerations, within an organisation’s software quality development process.

”Head-in-the-sand” do nothing: Popular up until recently, this option ignores the compliance issue because it carries the lowest up-front cost, but bears the highest business risks and largest corrective costs post market introduction.

Developer training and project planning: Some companies consider proper training and project planning is sufficient in normal situations, accepting to undertake an audit during imposed due-diligence efforts. The more developers are trained on software legal compliance issues, the more effective the development process can be. But it is a rather expensive proposition, given the growth in number of distinct software licenses, cost of developer training, and churn within the development environment. Here compliance depends solely on developers and is no assurance of legal compliance before going to market.

Post-development licensing analysis and correction: Taking action later in the project lifecycle can take the form of external or internal auditing, and impacts the final stages of testing and the quality assurance process. This option can become expensive due to any necessary changes to the software after licensing analysis, subsequent re-testing and re-assessment. This option does not impact development workflow, and can be rendered more cost effective with software. It can But it can prolong project lifecycle near conclusion, resulting in delays to final product delivery.

Periodic analysis and correction: Periodic licensing analysis and assessment of software during development leads en route to corrections if IP policy violations are detected. Aalysis can be done with automatic tools, is less expensive than assessment at the conclusion of development, thanks to shorter delays in getting the fixes done and re-tested.

Real-time preventive assistance at developer workstation: The most pro-active way for software licensing compliance is realtime detection of license violations immediately at the developer workstation. The development process is not disturbed. The cost of corrections is minimised,  corrections being done immediately without involvement of other resources and without need for re-testing. This process can be automated via software tools in ways that are unobtrusive, easy to adopt and do not require developer training in legal compliance. Managing licensing or copyright in real-time is the most cost efficient and lowest risk option in the long term.

Some of these options, such as real-time and periodic or build-stage assessment (4 and 5), can be used in combination for better results. Generally the sooner problems are detected and fixed, the lower the cost of the licensing management would be. Efforts to fix the software IP issues and associated delays in product readiness will drive the economics of software licensing management.

Automated software scanning and licensing management tools

Tools are available to automatically scan software (source code or binaries) and conduct a software pedigree analyses, detecting all licensing and copyright policy violations. These can operate on demand, on schedule or even in real-time within the development process.

Some of the automated software scanning solutions allow the software analyses to be done in accordance with corporate IP policies and lend themselves well to instituting proper record keeping and safe software development practices. “Automated Software Systems for Intellectual Property Compliance,”

Most software IP scanning & licensing analysis tools have performance correctness factor of between 80% and 98%, where performance is negatively affected by leaving-out IP policy violations or reporting false positives (ie. false assertions of violations). Performance depends on the accuracy of the analysis engine and the size of the external software (including Open Source) database used for reference. This model  assumes a degree of performance for the corrective analysis tool of 95%, as shown below in Table 2.

An automated, preventive, licensing management tool has a higher degree of performance, as it scans and detects every new software component which is saved/filed at the developer workstation. Its ability to detect external content is close to 100%, but for a conservative analysis we shall assume a 98% performance correctness.


Costs to detect and fix IP policy violations
The worst case scenario is to have license or copyright violations discovered in the field, or during an audit prior to a major financial event. The costs are much higher due to involvement of legal personnel and the corrections necessary after development completion. Not taking into account having to face a judge, costs can be anywhere between $5,000 and beyond $50,000. Involvement in a judicial process will raise costs exponentially. The conservative model illustration assumes a “licensing correction” cost of $20,000 after product development is launched.

There are extensive studies on the cost of fixing software defects during development at the Quality Assurance (QA) stage or in the field Software Maintenance Implications on Cost and Schedule” and "Software Sizing, Estimation, and Risk Management.”  Regarding licensing and copyright violations, there is insufficient statistical data to define precisely the cost of addressing IP policy violations. In this case the situation changes with the nature of the violation and the remedies applied.

A policy violation, detected at the QA testing stage, usually involves the testing personnel, the development managers and the actual developers in order to decide what is to be done and implement necessary corrections (as replacing the offending code). Most violations will span multiple files in a project that does not satisfy the licensing policies of the organisation. This may take more than one person’s day of work and usually ranges between $500 and $3,000 to fix a package and remove multiple offending files. For this example assume $100 cost of fixing a problem software file at the QA stage.

The cost of fixing the problem right at the developer workstation, in real-time as developer brings an offending code segment into his project, is substantially lower. It may take only minutes of the developer’s time and does not involve any other expensive resources.

The cost, based on the time taken, for fixing issues right at the developer workstation could be between $25 and $60. In the ROI model, assume a cost of $40. In some cases the developer, once notified of IP policy violation at his workstation, can provide an explanation, as “this code is brought in for testing and will be replaced”. That explanation is captured by the tool and kept for the records.

Project and organisation size impact on ROI
The ROI cost model is applied to four different software projects covering a wide range of software organizations in the industry:

• Large projects more than100,000 software components (files) and 100 developers.
• Mid-size projects more than 30,000 software components and 40 developers in the team.
• Small projects less than 10,000 software components and 20 developers in the team.
• Projects with less than 3,000 software components and under 7 developers.

For simplicity assume three distinct scenario approaches:
1. No software IP management action prior to market.
2. Licensing compliance assessment and correction at QA stage.
3. Preventive automatic IP management with final licensing compliance assurance at the build stage.

Results
− the larger the project (number of files involved) the higher the amount of external components (open source or otherwise) the more number of infractions, and a higher probability of being “caught” in the field, with the associated cost of “fixing” it.
− corrective licensing assessment and management can catch licensing infractions at QA stage, with a resulting cost/correction.
− preventive licensing assessment and correction, at developer  workstation, catches nearly all infractions and cost of fixing each violation in real-time, will be lower.

Plugging numbers into the ROI model reveals the following conclusions on cost and savings associated with three IP management approaches described above.

Table 4. Costs and savings of various legal compliance approaches

The results above are illustrative, and in the cost model the assumptions and figures can vary without affecting the generality of results. Ignoring licensing compliance can be costly, it is difficult to put an upper bound on the cost of shipping tainted software. Corrective analysis with automated tools, at regular intervals and at QA time reduces the cost exposure significantly.

Authors, Protecode Inc CEO, Mahshad  Koohgoli (left) BSc and a PhD from the University of Sussex, England, has more than 25 years experience in the telecommunications industry  specialising in technology start-up businesses.


Sorin Cohn-Sfetcu (right) is an executive management consultant with more than 30 years of international business and technology experience, involved in most facets of innovation development: from idea, and product to market success globally. He holds several patents in web services, wireless, and digital signal processing.