Practicing Safe Software

Practicing Safe Software Software Record Keeping And Intellectual Property Tracking

Carleton University Technology Innovation Management (TIM) Lecture Series

June, 2008

Problem Illustrated Commercial

Open Firm’s Own Source Code base

DO WE KNOW WHAT IS IN OUR SOFTWARE?!

Organization

Load Build

Due Diligence

End Product

(Manual or Automated Scanning)

Animated- view in Presentation mode

Outsource Company 18 June 08

© Copyright 2008 Protecode Inc. Proprietary

2

Software Content Records ‰

Nobody knows what’s in the software

‰

Good software development practices have evolved – Code management systems – Bug tracking systems – But there are no • • • •

“Bill Of Materials” Approved Vendors Approved Components Approved Licences

‰

Manual Record Keeping is impractical

‰

Software content management requires – Content records – Content policies – Content records showing policies are complied with

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

3

Market Environment 1.

Open Source usage is growing 1. "At least 80 percent of all commercial software products will include elements of open-source code by 2012” according to Gartner

2.

Outsourcing is common

3.

Designers carry code from company to company

4.

Access to code is easy

‰

Contamination in software projects is prevalent – Mostly unintentional

5.

Software Intellectual Property (IP) is important – Governance Requirements (e.g. Sarbanes-Oxley)

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

4

Open Source Software Is Maturing Gartner Hype Cycle for Open-Source Software, 2005

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

5

Open Source Software – The Good ‰

Thousands of modules and millions of lines code available – Example: Open source VoIP projects • Asterix, SipX, OpenPBX, SIPxchange, OpenSIPStack, reSIProcate, Open Source SIP, Twinkle, OpenZoep, FreeSWITCH, YATE, RTPlib, plus at least 70 more

‰

Enables fast development, short introduction intervals

‰

Lowers product development costs

‰

Increases code re-use

‰

Good quality and security – Very large ecosystem – Access to source code – Peer reviews

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

6

Open Source Software – The Bad ‰

It is not free – Almost all OSS is subject to license – License terms vary – License terms are not always compatible • Can not always mix two types of code

– License terms are difficult to interpret • Not a task for developers or development managers ‰

It is not tracked – Easy to bring in OSS – No record keeping • Who owns Intellectual Property (IP) over what areas? • Possibly of compromising ALL intellectual property, – eg GPL (General Public License) rules

• Who brought in what ‰

No pedigree information – How was it evolved, and from what

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

7

Interpreting Open Source Licenses ‰

Needs Expert Interpretation and fit with business

‰

Example: Sun Binary Code Distribution License Agreement – 7 page document – Sun grants you a … license …[to] distribute the Software, provided that … and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software

Sun Microsystems, Inc. Binary Code License Agreement for the JAVA SE DEVELOPMENT KIT (JDK), VERSION 6 http://java.sun.com/javase/6/jdk-6u6-license.txt Taken from “Clarifying the IP Trail” by Janet Campbell, Legal Counsel and Manager of Intellectual Property, Eclipse Foundation Inc.

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

8

Other Contamination Possibilities ‰

Outsourcing Software Development – Contractors – Offshore and onshore – E-bidding (eg Elance.com) • • • •

‰

No content records Cross project code contamination Developer previous-life contamination Little control over delivered Software IP purity

3rd Party Commercial software – License terms vary • For development only • Limited volume only • Specific target markets

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

9

External Code Can Easily Creep In ‰

Code Search engines are common – – – –

Google Code Search Krugle Freshmeat Coders

– Great educational value – Significant IP contamination hazard ‰

Developer previous-life contamination – 70% of developers bring code from previous company http://news.zdnet.co.uk/software/0,1000000121,39156544,00.htm

‰

Growing up with the culture of plagiarism – “rip, mix, burn”, “cut & paste” – Instant information access, blurring what’s yours & what’s not …

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

10

Why is Software IP important? ‰

Intellectual Property Management impacts enterprise value – Software is significant source of effort and investment • Exposure to third party rights • Protecting own rights

‰

Impact on commercial transactions – Representations and warranties, IP indemnity clauses – Real or perceived IP risks lower M&A value

‰

A company’s existence could depend on it – Litigations, Law suits, penalties, out of court settlements • • • • • • • •

18 June 08

Microsoft vs Alcatel-Lucent (mp3), Welte vs Dlink, vs Fortinet Cisco-Linksys, Cisco vs GPL in iPhone, FSF (Free Software Foundation) vs Open-TV SCO-IBM (proprietary software found in open source) SFLC vs Monsoon Multimedia (Busybox product) vs Verison vs Xtrasys Veritas vs Microsoft © Copyright 2008 Protecode Inc. Proprietary

11

Veritas vs Microsoft In Veritas Operating Corporation v. Microsoft Corporation, the Court was asked to consider a motion by Microsoft for a dismissal of claims brought by Veritas alleging, among other things, that Microsoft had misappropriated certain trade secrets of Veritas and infringed Veritas’ copyright when it developed and incorporated Logical Volume Manager

Court observed that only 54 lines of code, or 0.03% of a code base of almost 160,000 lines, had been identified by Veritas as having been infringed. In addition, with the exception of two lines, the section of code in question was not copied verbatim. Instead, Microsoft changed the code by upgrading the programming language from C to C++.

(LVM) into its operating system products. In considering the motion, the

In denying one of Microsoft’s arguments for dismissal of the copyright infringement claim, that the amount of code

the Court noted that even where a relatively small quantity of code is copied, a finding of substantial similarity can still be made if the copied code is sufficiently important to the operation of the new program or gives the new program distinctive features or makes it more desirable. copied was de minimis,

Veritas versus Microsoft, United States district court Western district of Washington at Seattle Case NO. C06-0703-JCC

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

12

Record Keeping and Standards ‰

International standards are fast becoming a staple of records management programs and practices

‰

Why is it important1 – “… good records management practice is essential to create, capture and use information essential for the organization to fulfill its obligations and meet the expectations of its stakeholders...“ – “… enables organizations to develop policies, strategies and programmes which will ensure that information assets have the essential characteristics of accuracy, integrity and reliability,"

‰

How important is it? – we have a standard on record keeping ISO 15489 ! 1 - Robert McLean, member of ISO technical committee ISO/TC 46, Information and documentation, Subcommittee 11, Archives/records management

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

13

Record Management

‰

People do business based on a certain mandate (policy)

‰

People create and manage records that document businessimpacting events and can provide evidence of them.

‰

Records management is integrated in doing business and as a business in itself “Developments in ISO standards for recordkeeping” byHans Hofman, Nationaal Archief Netherlands

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

14

Record Management & Quality Programs ‰

ISO 9000 (circa 1999) – 4.5 and 4.16 documentation, data and record keeping – Used in all Quality Assurance programs • • • • • • • • • • • •

18 June 08

Quality Leadership Program Quality Design Program Quality Purchasing Program Quality Contracts Program Quality Production Program Quality Inventory Program Quality Inspections Program Quality Nonconformance Program Quality Measurement Program Quality Service Program Quality Audit Program Quality Training Program

© Copyright 2008 Protecode Inc. Proprietary

15

Software Component Records ‰

Intellectual Property (IP) Management is impossible without records

‰

Good record keeping is a must for – – – – –

‰

Change Management Fault management Risk management Supplier management … for all ISO purposes

Manual record keeping is – Always painful – Mostly impractical

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

16

Example: Manual Record Keeping

http://www.qnx.com/legal/licensing/dev_license/eula/License.Guide.1_05d.updated.Apr13-07.pdf

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

17

Managing Open Source Software ‰

Need clear policies in line with organizational goals – What type of licenses are acceptable – What to do in case of ambiguity

‰

Need accurate records – Keep track of all components in a project • Open Source • Commercial • Outsourced code

– Who brought in, what and when, in case of questions – Keep track of Intellectual Property (IP) attributes of content • Licensing requirements • Copyright ownership ‰

Need automated record keeping and Software IP management tools – Leave developers to focus on code development

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

18

Current Solutions for making sure content is tracked and IP is safe

Manual

Preventive

™ Education, Ethics ™ Use only known code

Corrective

™ Commercial Due Diligence Service Companies

18 June 08

Automated

™Commercial

™Academic ™Commercial

© Copyright 2008 Protecode Inc. Proprietary

19

Manual Due Diligence ‰

Typically one or more software experts, plus an IP lawyer

‰

Requires – Preparing – Due diligence • • • • •

‰

Document review Management conference Designer conference Analysis Report

Can be outsourced – Commercial Software Analysis groups

‰

18 June 08

Expensive, Time Consuming, Inaccurate, Insufficient Records

© Copyright 2008 Protecode Inc. Proprietary

20

Automated Corrective Solutions ‰

Academic or Commercial

‰

Example of Academic Initiatives – MOSS (Measure Of Software Similarity) • • • •

Stanford University In operation since 1994 Commercial version by Similix Good paper on finger-printing on http://theory.stanford.edu/~aiken/publications/papers/sigmod03.pdf

– JPLAG • University of Karlsruhe, Germany • In operation since 1996 • https://www.ipd.uni-karlsruhe.de/jplag/

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

21

Attributes of Automated Corrective Solutions ‰

Reduced analysis time

‰

Large databases of open source or academic code

‰

Automatically lists identifiable external content

‰

Correction of IP violations takes time & effort

‰

Detection depends on identification – Accurate content detection requires very large, up-to-date, databases

‰

18 June 08

Can be fooled by automated code generators

© Copyright 2008 Protecode Inc. Proprietary

22

Manual Preventive Solutions ‰

Rely on establishing IP firewall (does not address record keeping)

‰

Organizational policies, rules – Prohibit, or limit, use of open-source – Rely on education • Do not use off-the-shelf code • Firewall projects

‰

Use only pedigreed Open Source Software – Commercial firms offering clean code • Filter OSS for pedigree determination and certification

‰

Attribute: limited effectiveness

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

23

Automated Preventive Solutions ‰

Integrated into the development process, – installed at developer workstation and “build” machine

‰

Detect and log content as it enters the project – What, when, where, who

‰

Identify content against a database of known code (eg open source)

‰

Identified content can be checked against a set of policies

‰

Automatically create a software bill-of-materials

‰

Attributes: – Automated content record generation – Makes detection independent of identification – Can automatically resolve nested IP

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

24

Protecode Preventive Solution Final S/W Load

start

Software Development process Edit Source File(s)

…

…

Load Build

Test

end outputs

Pedigree Record

Tracker

Report Generator

GIPS

IP Reports

Tracker: Slim client resides at workstation, logging external content pedigree records as the content is introduced GIPS: Protecode’s Global Intellectual Property Server, repository for IP attributes pre-populated with Open Source Software data Reporter: creates various reports from pedigree records and database Administrator: define policies and behavior

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

25

Automated Record Keeping Benefits - 1 ‰

To Software Companies – Automatically generate and maintain records of software components and their authorship, ownership and IP attributes – Define IP policies and manage violations – Free developers from nuances of licensing – Reduce Costs • IP due diligence costs • Increase Open Source usage

– Leverage managed adoption of open source and other third party content • Accelerate product development and reduce introduction intervals • Reduce development effort ‰

To Outsourcing Companies – Improve business competitiveness – Eliminate cross-project IP contamination – Leverage managed adoption of open source and other third party content • Ensure adherence to client’s IP policies

– Resolve IP uncertainty issues

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

26

Automated Record Keeping Benefits - 2 ‰

To OSS Creator – Enhanced Reputation & Value Æ by establishing pedigreed, quality reputation – Publish project bill-of-materials – Remove uncertainties from adopters of OS project

‰

To OSS Repository – Increases Value Æ by credibility of pedigreed software

‰

Open Source Consumers – Adopt OS projects that have pedigree information published – Consult repositories or forges that have pedigreed software – Adopt OS with full knowledge of the content

‰

Intellectual Property Legal Community – Clear definition of policies – Avoid manual IP record generation – Simplify tracking and problem resolution by having accurate records of “what, where, who and when” associated with external content

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

27

Protecode Corporate Summary ‰

Overview –

‰

Product –

‰

Software Vendors Enterprises that develop software for their products and services Open Source Communities, Governments

Product Status – – –

18 June 08

Enhances Corporate Value Æ full software IP Governance Increases Revenues Æ shorter time-to-market, pedigreed products, less onerous sales Reduces Costs Æ Products, Development, Legal, Hiring Automates software Bill-Of-Materials generation

Market – – –

‰

Automated Preventive Solutions for Software Governance & Intellectual Property Management

Value – – – –

‰

Established January 07

Lead trials started January 2008 Publicly released as Beta in May 08 Commercially released in June 08 (www.protecode.com)

© Copyright 2008 Protecode Inc. Proprietary

28

Thank You

Mahshad Koohgoli, CEO Protecode Inc Phone: +1 613 729 5936 x 222 [email protected]

18 June 08

© Copyright 2008 Protecode Inc. Proprietary

29