SmartAdvice: Tracking Open-Source Code In Proprietary Apps
Licensing problems can result if open-source code is used and it doesn't meet a company's acceptable-use policies, The Advisory Council says. Also, unhappiness abounds with custom software packages when cost outweighs project satisfaction.
Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from leadership advice to enterprise strategies to how to deal with vendors. Submit questions directly to email@example.com
Question A: How can we detect unauthorized open source and other reused code in our proprietary applications?
Our advice: In the rush to produce code faster and cheaper, the pressure to take shortcuts in the development process encourages programmers to use more open-source and other recycled code. In the right circumstances, that can be perfectly acceptable practice. However, often companies have good legal and business reasons to avoid using open-source code.
Until last year, the only way to detect embedded open source was a painstaking code review by experienced programmers. With the recent spate of lawsuits related to the use of open-source code in proprietary applications, two startup companies have emerged to address this need. While both vendors offer viable, albeit expensive, solutions for the detection of open-source code, detection of recycled or stolen code remains a more difficult problem.
In a recent survey by Evans Data, 56% of software developers admitted to using open-source code in 2005, up from 38% in 2001. While for many companies using shared source is not only acceptable but welcome in terms of reduced development time and simpler maintenance, there are situations where open source isn't advisable. Open-source license agreements vary, and some of them might not fit with corporate policy on acceptable use, for example. A software vendor might not want to find that they need to share chunks of their code because someone took a shortcut during the development cycle and used a piece of code subject to the GPL (General Public License) restrictions. There's a very real danger that a company could open itself to bad publicity, lawsuits, or worse.
Black Duck Software Inc., founded in late 2002, followed shortly by Palamida Inc., founded in 2003, offer a subscription-based model for automating the drudgery of reviewing software for open-source code. Neither company's product comes cheap. Black Duck's annual entry subscription price is pegged at $25,000 and Palamida starts at $50,000 for an annual subscription. Black Duck has recently started offering a lower-cost 90-day subscription, with pricing based on the amount of reviewed code -- one user can scan up to 10 Mbytes of code against a hosted database for $3,000, rising to $25,000 for 100 Mbytes of code -- which could be a viable option for companies who need to review code from a one-time project instead of on an ongoing basis.
While the efforts of these two vendors are long overdue and fill a niche in the market, they don't address the larger issue of other types of recycled and "borrowed" code. Because the code-review services compare code with known and freely available sources, sophisticated but straightforward searching and data-mining techniques make the task possible. The larger, but more hidden, problem is the use of inaccessible but potentially unethical and illegal sources.
As more companies use outsourcing, both on- and offshore, for application development, the dangers of inadvertently violating code usage agreements will increase. Each company will need to weigh the expense of using an open-source-review subscription service against the risks of having such code embedded in their systems. For some companies the decision will be obvious, but the cost of the services might give others, with less clear need for 100% clean code, pause.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.