You can now manage the source code for software-related product development in your organisation, using the Black Duck Suite, which among other capabilities, generates an alert each time a developer infringes a licensing requirement—across the product development life-cycle.
Consider this: when creating Windows 7, Microsoft outsourced the development of one of the new OS utilities to a third-party. Without Microsoft’s knowledge, the third-party integrated an open source component licensed under the GNU general public license (GPL) into the utility. The component was discovered after Windows 7 was shipped, forcing Microsoft to pull back the utility to remedy the code. This entailed costly reworking and also hurt its public image.
The moral of this story is that even large, very-well-run software organisations can make such mistakes. Without proper controls and an effective management platform, it is difficult, or impossible, to know what’s in your code.
Globally distributed teams of developers increasingly collaborate to assemble software from reusable components that come with their own proprietary code (rather than building applications entirely from scratch). So companies are becoming more and more concerned about maintaining control of their IP, properly tracking the origins and managing the obligations associated with the components that they reuse. Doing this has become essential to ensure license compliance, in the absence of which developers, vendors and organisations may face legal risks, negative publicity, costly code reviews, redesigns and rework. Manual methods of tracking software origins and obligations cannot keep up with the pace of rapid application/product development.
Still, as with practically everything else, technology offers a solution to even this challenge. Now, using the suite of tools from Black Duck Software Inc, you can gain control over the use of open source software and components in your company, and consume open source without the fear of license violations, affirms Rohit Sharma, vice president, Lyra Infosystems (P) Limited, the official representative partner of Black Duck Software, Inc in the Indian sub-continent.
Automation is the key
Since manual methods of finding, selecting, monitoring, and validating open source components are extremely limiting and error-prone, and an unmanageable drain on internal development resources, the key to gaining management control and successfully incorporating open source components into your development process is automation, opines Sharma. The Black Duck Suite can help automate the process of finding, managing, and confidently deploying open source software.
Describing a common scenario that demonstrates the necessity of tools like those from Black Duck, Sharma says: “Most companies that develop software for both products and services alike, tend to sign-off on software deliveries for their end customers, confirming that they’ve internally created intellectual property. However, from a practical standpoint, it’s highly time consuming and un-scalable to run through the entire source of any project/product, and differentiate between source-code developed internally, and code that’s incorporated from open source repositories.
“The solution to dealing with this environment of composite, mixed intellectual property (IP), lies in automating this process. Black Duck can help in addressing both these requirements.”
A good tool for hassle-’free’ product development
The typical open source software management life-cycle involves the following stages. Let’s see how Black Duck software can help to control the use of open source through each stage.
1. Search: Black Duck software provides a customisable work-flow to automate the process of searching for externally-sourced code, whether it is commercial code, outsourced code or open source code. The tool also lets users build a catalogue of approved components for developers to search. It also has a regularly updated searchable ‘Knowledgebase’ that continuously tracks over 2,000 unique licences, almost 5,000 sites, and security vulnerabilities. This is considered one of the industry’s most comprehensive databases of open source software and associated components, licences and other information, discloses Sharma.
“The internal catalogue your development team creates with Black Duck software, combined with the Black Duck Knowledgebase, lets you reduce the time developers spend searching for code; they support standardisation, and also help you ensure that developers are using code that meets your company’s policies and guidelines,” he adds.
2. Selection: Black Duck Suite also allows users to codify their compliance policies into its management platform; it then automatically scans source-code and binary files to uncover unknown, unapproved, non-compliant software. Thus, it ensures that only approved code is selected.
In addition, when developers access their own catalogues, or the Black Duck Knowledgebase, they have an easily searchable central repository, with all the metadata in one place, reducing the time it takes to make code selections, Sharma explains. “All of that metadata is managed in this one catalogue, so developers don’t have to go to several different places to view this information,” he adds.
3. Approval: Black Duck Protex automates the entire software code approval process by providing a customisable approval work-flow system. All reviewers involved in the development process for a particular software can know where the code is in the approval process, and who is next in the review chain—and from whom approval is still pending. Black Duck Protex ensures that information from all the approvers is recorded from the start, to minimise iterations, and streamlines the approval process.
4. Validation: Black Duck Protex can be integrated with the build process to provide real-time and continuous validation—i.e., to analyse the code as developers are building the application. It analyses the code against the approved software bill of materials, to ensure compliance, and also provides an audit trail.
If non-approved, non-compliant code is introduced into an application, the Black Duck Suite notifies the developer right away, or it can trigger the approval process automatically. Black Duck software also integrates with common build systems to conduct ongoing code audits, automatically, throughout the software build process. Validation occurs without any manual intervention, explains Sharma.
5. Monitoring: When development groups integrate external code into their applications and services, problems can arise at the post-deployment stage. These could include the discovery of new security vulnerabilities, new versions, etc. Black Duck monitors open source code against all known security vulnerabilities, and provides real-time alerts when new vulnerabilities are discovered.
Considering the visibility that it renders, the Black Duck Suite seems like a good tool that enables organisations to take charge of open source software usage during development. It also offers developers the freedom they need to focus only on their solution and not on licensing issues, reduces the time-to-solution, lowers costs, and drives innovation.
A quick check-list to determine if you need Black Duck
You would need a set of tools like the Black Duck Software Suite if any of the following statements describe your (or your organisation’s) experience with software development:
My development team’s open source software use may be exposing our company/customers to legal risks, negative publicity, loss of intellectual property, etc.
I don’t have a view of the composition of the software that’s being developed/delivered to customers.
I don’t have the control that I need over what open source software is being brought into my infrastructure by my developers, or by my supply chain.
I find it difficult to control the process while giving developers the necessary freedom to employ open source software to build both internal and customer-facing applications.
I am concerned about whether we actually control the use of open source by using industry best practices, and whether we pay enough attention to licence and security issues while maximising its benefits.
It is difficult to get our developers to comply with our corporate open source policies.
Our development teams use manual processes, such as e-mails and spreadsheets, to manage the use of open source software.
I worry about being able to maintain and support applications that contain open source code.
Our open source software approval process is way too slow.