Protecode Blog

Open Source in Mobile Development Part 2

The Role of Open Source Software

The use of open source software is increasing as software developers address the opportunities, and the corresponding challenges, of the telecommunications industry transformations, at the same time as facing global economic and competitive pressures. The reasons include the following:

• Open source software’s agility and cost advantages provide considerable choice to the catalogue of specialized components that software developers can call upon. For example, the Insight Report “Open Source Software Impacts on Telecom Services, 2011-2016” mentions over 23 telecom-focused open source companies in 4 major categories of: Network Infrastructure, Business/Operational Support Systems, Service Delivery Platforms, and Open Source Software Support. At the same time, there are hundreds more companies serving the overall open source space which is also utilized by telecom software developers: from data-bases to XML tools.
• Using open source software components is becoming one of the key strategies to address the ever more complex integrations that are required in ever shorter time frames. Open source software increases the solution options available to systems integrators and mitigates the lock-in and cost increase risks by a few large and powerful vendors who may often also be competing with the systems integrators. There are currently over 17 companies offering open source software and middleware for systems integration.
• As software systems constantly evolve, their use of 3^rd party components creates a dilemma. On the one hand, by using existing and proven components from 3^rd parties, business opportunities can be addressed faster. On the other hand, use of 3^rd party components creates a dependency: the 3^rd party component supplier needs to be responsive to the evolving needs of the developers using their components. If the 3^rd party supplier does not respond in a timely manner because of business priority, direction or ability issues, then there is a major risk to the developers depending on the supplier. Open source can better enable evolution and mitigate future risks in two ways. Firstly, it increases the number of component vendors offering a larger number of options for evolving needs. Secondly, using open source components can offer more control to the business by ultimately allowing in-house critical code changes to be made, when it becomes clear that these are not going to be offered by the 3^rd party suppliers.
• In business consolidation scenarios, the software assets being valued as part of the M&A increasingly include open source software introduced through in-house development, outsourced development, or 3^rd party software.  There can be significant legal licensing and intellectual property obligations, security risks, export regulations risks, and support costs associated with the software depending on the pedigree and licensing terms of the software.  There may be anonymous source code introduced into the code stream with uncertain pedigree. Therefore, there are major software risks for both parties in an M&A situation:  deal loss, valuation loss, delays, and unpredictable future costs to the business. These risks need to be managed.

Open source software risk management

While use of open source software in the transformation of telecom can bring significant benefits, the risks need to be managed:

• Support: While open source software source code is freely accessible, the building, packaging, testing, and the on-going maintenance of evolution of this code needs continuous investment or it becomes undependable, particularly as the code develops evolutionary branches.  There is a need for a bill of materials for an existing code base, so that the developers are aware of what is in the code base and who supports the software components: internal, external volunteers, or a commercial organization.  
• Security: CSPs and their vendors are at the core of the global information flow and their focus on security risks is, therefore, absolutely required. As the sophistication of open source software grows, its sources become much more diverse, and its use much wider, the risks of security vulnerabilities being introduced to the CSP solutions also need to be robustly addressed. Again, having an accurate bill of materials that provides an reliable view of what source code components are in the software base is critical, as are methods of identifying code components that can increase vulnerabilities.
• Legal: There is a range of different open source licensing terms with differing legal obligations. These range from the restrictive Gnu Public License (GPL) with strict “copyleft” to the permissive BSD licenses with only attribution requirements. The terms of the license will determine whether a company’s software investment has to be opened up also to its competitors.  Some open source component licenses have implications on the ability to patent, or the possibility of infringing on patents, for the adopting organization. Therefore, the legal risk must be addressed robustly as part of a disciplined software development lifecycle approach using appropriate tools.

Open source license management is a cornerstone of a risk management strategy appropriate to the sophistication, scale, and critical role of telecommunications software.  Protecode’s Open Source Software Adoption Process (OSSAP) can be parlayed on an existing development quality development process without replacing or hindering existing practices. 

Open Source in Mobile Development Part 1

An Industry in Transformation

The telecommunication industry is transforming rapidly:  from providing voice and basic data services towards a much broader set of services with flexibility of adaptation to customer desires and market opportunities. Communications services providers (CSPs) are investing to serve the hyperconnectivity needs of evolving ecosystems of diverse applications for users and devices: increasingly mobile and interacting ever faster and in more complex ways.

The pace of this transformation towards hyperconnectivity services is driven by the rapidly growing number and categories of devices. These range from smart phones, eReaders, and tablets to connected vehicular systems, environmental sensors, smart tags, and many others. The devices enable highly distributed, responsive, and ever expanding range of applications such as: digital media, gaming, enterprise management, ePayments eHealth, smart-grid, clean-tech, and machine-to-machine. The growing usage of social networking in, and across, many application domains is an added driver for hyperconnectivity, and customer engagement.

Cloud Computing in Telecom

The cloud computing service model is further adding to the pace of this transformation as it delivers application platforms with compelling advantages: time-to-market, operational economies of scale, capital cost reduction, and mobility support. The cloud model is creating new opportunities for service providers to offer application-driven service packages, service level agreements, and elastic resource allocation for demand-based services with real-time billing.

The telecommunications industry is dealing with the increasing complexities of this transformation, within a competitive environment that creates strong pressures for agility and innovation in services while controlling costs.  Equipment vendors who supply the CSPs with products and services, especially given the global nature of their competition, face even greater and continuous pressures for cost-conscious agility and innovation to overcome the commoditization trap. At the same time, the major source of growth for the equipment vendors is in emerging markets where massive scale at low costs is a fundamental requirement.

Implications for software development

The transformation towards the hyperconnectivity services business model creates tremendous opportunities for CSPs and their equipment and service vendors. To address the opportunities, though, it also creates significant challenges for the required software systems:

• Complexity: More systems need to work in concert in order provide broader service solutions for the hyperconnected users.
• High agility: The solutions need to be highly configurable for particular usage and business contexts in order to minimize software deployment complexities. At the same time, as unanticipated requirements arise, the software addressing them needs to be developed, and deployed in time frames for very competitive markets: weeks rather than months.
• Cost-sensitivity: While the number of devices, their interconnections, bandwidth requirements, and communications service sophistication are growing exponentially the related revenues grow linearly within the challenging global economic context and competitive pressures.
• Massive scalability:  Incredible increases in the number of devices per user (e.g. laptop, smartphone, tablet, camera, health monitor) and many devices that don’t have individual users (e.g. environmental sensors, smart tags.) add to scaling requirements, as well as the ramp up in users and devices in the emerging economies.

Given the above challenges, the industry is responding with software lifecycle strategies that include:

• Specialized Components: With the increasing complexity of the software systems, delivery of functionally specialized components improves the ability to provide dependable solutions which can be refactored for different and evolving market needs.  These components are developed in-house, out-sourced to 3rd party development, or obtained from 3rd parties.  Open source software is increasingly used in all three cases. 
• Integration:  In conjunction with the above strategy, there is a need for creating comprehensive solutions from a large number of specialized components. Some of these components are combined to provide a product or a solution by a single vendor. However, the products and solutions from each vendor also need to be integrated across both standard and proprietary interfaces.  There is the need to integrate new additional solutions into existing environments.
• Continuous Evolution:  Given the need to constantly address market opportunities, standards and regulatory evolution, software components and their integration are being designed in such a way to allow change while protecting investment by utilizing as much of the existing software base as possible.
• Business Consolidation: Early stage innovators start up to address niche market opportunities and grow. And, CSP and their vendors merge or acquire other companies for growth and to more strongly address their markets. Business M&A entails integration of complementary software components and systems into more powerful solutions, as well as consolidation of over-lapped solutions to control cost and complexity. Software assets are a significant valuation consideration in most M&A deals in the industry, and open source software should be managed to provide a positive impact on the valuations, rather than introduce business risks.

Next week’s post will go into greater detail on how open source is used and how it should be managed in telecom development.

Open Source and its Impact on Valuations Part 2

Open Source License Type and Impact on Valuation

Licenses that cover open source code carry unique terms that have implications on code use, modification and distribution.  For example, some restrictive open source licenses (known as copyleft licenses) require users that distribute modified programs to make source code available to downstream users free of royalties.  The failure to comply with license obligations can lead to severe consequences, including being forced to come into compliance by releasing the asset’s source code, or paying damages.  Infringement suits also result in a loss of goodwill affecting client relationships, distribution partnerships, and consumer confidence, which further diminish exit sale price.

The fact that target companies may be unaware of the incorporation of open source in their technology further complicates the valuation exercise.  Factors including easy accessibility of open source software by resourceful developers, increasing reliance on third-party developed code, and the rise of software outsourcing and offshoring have resulted in a loss of control over the composition of code incorporated in software.  Receiving inaccurate information regarding code composition renders the investor vulnerable to costly license infringement litigation. 

Options to Consider

Because open source code could be incorporated in an asset without the knowledge of the target company, it is critical for the investor to independently confirm the status of the asset rather than rely on the portfolio company’s representations and warranties.   This can be achieved through engaging competent external resources that can analyze software assets in the following ways:

• Scan source code to identify open source and third-party code embedded in software
• Compare the identified licensing or ownership attributes against the company’s licensing policies
• Detect license violations and incompatibilities

Once the assets are effectively analyzed, the portfolio manager can work with management to develop strategic solutions, positioning the investor to achieve optimal exit value.  Questions to consider include:

• What functions do the open source components perform in the product? 
• From a cost and/or strategy standpoint, is it more efficient and effective to:
• Become compliant with license obligations?
• Replace open source components in the product with open source code that carries more permissive license terms?
• Remove the open source components and replace them with commercial or proprietary code with similar functionality?
• Remain non-compliant and assume liability (qualify and quantify the liability)?

A cost-benefit analysis of each of the above options would include the impact on short term and long term business, cost of the effort to change, and potential delays to the transaction as a result of the changes.

Open Source Impact on Valuation is Manageable

The emerging mixed-source development environment calls for consideration of the unique value enhancing and potentially diminishing implications attached to open source. While in many cases, the presence of open source amplifies the value of technology, there are instances in which the license terms associated with the open source components diminish the core intrinsic value of the asset under consideration. Through performing effective pre-investment due diligence to identify the presence of open source, and engaging in simple but systematic post-investment asset management, portfolio managers can achieve optimal exit value on their investments.

Learn more about the 6 most popular open source licenses and their obligations.

This article was written by Diana Cooper, legal researcher for Protecode.

Open Source and its Impact on Valuations Part 1

Despite the volatile economic environment, 2011 has been good to the technology sector.  Forrester and Gartner forecasts a 7% increase in technology spending for the year.  PwC US technology M&A insights similarly projected a positive outlook, crediting strong performance to the sector’s “ample cash balances, inexpensive debt and previously established strategic objectives.”  The software industry is leading the pack, capturing $2 billion in venture funding in the third quarter, representing the highest level received by any industry.  The third quarter also delivered the highest deal volume for the industry, with 263 rounds completed.  Golden Gate and Infor’s $2 billion buyout of Lawson Software, and Providence Equity Partners’ $1.9 billion bid for SRA International ranked among the most notable private equity acquisition announcements in the technology sector. 

Difficulty of Software Valuation

As these figures suggest, confidence in software has grown by leaps and bounds since the early 1980s when critics were doubtful of software’s inherent value.  The genesis of software valuation only dates back to 1985 when the Supreme Court ruled in Digidyne Corp. v. Data General Corp. that software was valuable independently of the hardware that it attached to.  While the ruling ended the debate surrounding the exploitability of software, the fast-paced sector that is no stranger to game-changing innovation presents continuing valuation challenges for appraisers.  Technology investments carry unique risks, not the least of which is the looming possibility of the emergence of disruptive technologies (think connected tablets, peer-to-peer communications, cloud computing).  At the same time, technology investments also carry potential for huge returns, including unexpected profits linked to the commercialization of killer applications (think Twitter).

The rapidly changing landscape of technology requires investors to be particularly attuned to industry trends and developments in order to assess the risks and rewards attached to assets under consideration for investment.  This may prove to be a more difficult task for financial investors in comparison with their corporate counterparts. 

A study of 1,441 European firm acquisitions in the period of 1997 to 2003 revealed that financial investors systematically overvalued their targets in relation to strategic acquirers.  The results were linked to knowledge asymmetries that exist between strategic and financial acquirers.  While corporate investors benefit from knowledge developed through their own R&D, financial investors tend to lack specialized knowledge due to portfolio diversification and avoidance of industry concentration.

Software Valuation and Mixed Source Software

An important trend to consider in software valuation is the increasing reliance on mixed-source solutions.  Mixed-source refers to the combination of proprietary and open source code in a given technology.  In 2010 open source was leveraged within 75% of Global 2000 companies.  According to Gartner, this number will be increased to 99% by 2016.

This trend is echoed by the 451 Group which reports that free and open source software (FOSS) “is embedded in proprietary products and commercial extensions have been added to FOSS… The line between proprietary software and open source software is becoming increasingly blurred to the extent that in many cases it is difficult to tell the difference between the two.” Even Microsoft, which previously characterized open source as an IP destroyer has adopted mixed-source solutions in recent years, most notably in its collaboration with Novell.

While open source is increasingly embedded into software, there is a lack of clear understanding of the implications of open source on asset value, and valuation guidelines have not been established.  In addition to relying on traditional technology asset valuation methods, appraisers must consider the unique dynamic impacts of open source.  Open source enhances asset value through delivering time and cost efficiencies in the development-to-market stages, lowering total cost of ownership, and promoting vendor independence.  However, open source could also have a diminishing impact on asset value.  Because some open source cannot be incorporated into products that have trade secret value, investors of mixed-source technology may face limitations in achieving optimal exit value. 

Stay tuned next week for part two to find out how open source impacts valuation and how it can be managed.

Learn more about how open source software impacts your company.

This article was written by Diana Cooper, legal researcher for Protecode.

What's New in Protecode's Open Source License Management Solutions

The most recent version of Protecode System 4™ is Version 4.5 which contains the following improvements and:

Security vulnerability reporting:

Once external software content is identified, Protecode System 4™ reports on any known security vulnerabilities as identified by common security vulnerability databases such as NVD.

Library Auditor (LA) integration with Git version control system:

Protecode Library Auditor now integrates and supports Git for real-time analysis and management of software attributes. Git joins other platform integration capabilities of Protecode System 4™ such as SVN, Perforce, ClearCase, etc.

LDAP integration for importing users:

Protecode System 4™ management is simpler by using the established LDAP infrastructure for defining users, assigning roles, and managing access to the analysis capabilities.

Export control (ECCN) reporting:

Once external software content is identified, Protecode System 4™ reports on any known Export Control Classification Number (ECCN) associated with the external content.

Encryption properties reporting:

Protecode System 4™ can identify common public-domain encryption software files, even when they are modified, and highlight them in the scanning reports.

Integration with Code Administrator™ (CA) to support a software package approval workflow:

Code Administrator™ now supports form-based package request and approval workflow, sharing the Pedigree Database with all other components of Protecode System 4™.

Language Support Extension:

Protecode System 4™ now supports Korean and Japanese languages for all its user interfaces and reporting.

Managing embedded open source software

Marc Andresssen, cofounder of Netscape and the key investor in LinkedIn recently announced that “Software is eating the world”.  There are more instances of embedded software in the world today than any other type of software combined.  It is the heart transport, safety, health, food, agriculture, defense, entertainment and therefore virtually every sector of industry that one way or other touches our everyday lives.

Complexity of software design within the embedded space has increased exponentially. In a way it has mirrored and followed the way gate complexity in integrated devices has doubled every 18 months in the last forty years.  The growth in code complexity has overlapped the change in business dynamics of our interconnected global market. Demands for shortening product development times, increasing functionality in products and reducing development costs has led to an increase in outsourcing, contracting, and code-reuse. Open source software, the ultimate manifestation of code-reuse, has become a key enabler of today’s competitive embedded market.

From the first GNU in 1983 to invasion of the whole IT stack by 2011, open source has penetrated every facet of software development.  Such desirable attributes as faster time to market, lower development cost, better security, peer-reviewed quality, variety, zero licensing cost and multiple sources from mostly reputable suppliers are some of the reasons where open source has become the software of choice for over 40% of embedded projects. 

Better known examples of open source software targeted for embedded applications include Android (in everything mobile and increasingly non-mobile), embedded Linux and other open source Real Time Operating Systems (RTOS’s), Qt User Interface (UI) used in phones and PDA’s and refrigerators and industrial control systems, and roughly 100,000 other projects that cover everything from communications stacks, web browsing, user interfaces, remote management, embedded databases, audio and video codecs and even virtual machines (as in Java virtual machine).

However , the advantages of open source software can only be realized if its adoption is managed.  Open source software invariably comes with obligations that are represented in their associated licenses, copyrights, security vulnerability notices and export control classifications. Failure to understand and respect these obligations has repercussions that are similar to those due to shortcomings in product quality.  Embedded devices such as consumer products are distributed in volume, and any impairment in quality, or in meeting licensing obligations, can be very costly in the field.

Project-level or organizational policies usually frame the acceptable terms and obligations. Although some may find it difficult to admit, today’s resourceful developers do not write code from scratch. They know where to get code and enhance it with their own creativity. It is unreasonable and impractical to expect developers to be aware of, and manage, code obligations as they create software under tight schedules.  Increasingly, organizations are deploying practices that allow managed adoption open source in projects, shortening development intervals and reducing development costs.

A survey of more than hundred technology organizations, from large multinationals to small technology firms of less than 50 people has indentified the best practices used in embedded industry for leveraging and managing open source software. Establishing license policies, adopting package pre-approval processes, creating a baseline of the existing inventory of software, regular software analysis in real-time and at build-time, before the final product is shipped to the market, are some of the steps deployed by the embedded industry. 

For more information on manageing open source in embedded software read our Open Source Software Adoption Process. 

Manage open source software packages through a defined workflow

Protecode's new Code Administrator™ is an extension to System 4™ which allows for the pre-approval of software packages before they are introduced into development environment. 

View the demo video:

Start managing open source before it's used in your product

Assessing, and approving third party or open source code before it is introduced into the development environment is an efficient way to ensure license compliance. Protecode recently announced the launch of a new tool, Code Administrator™(CA), that facilitates a software package pre-approval process.

CA is another workflow capability, and step two in Protecode's Open Source Software Adoption Process, that further simplifies license compliance management in any organization. With CA, a user can request that a package be approved by submitting detailed information about the package and how it will be used within the organization. The request is then logged and its status is tracked. An administrator performs an audit of the requested package using Protecode Enterprise Analyzer™. If the package does not conflict with the organization's established licensing policies the administrator either approves or rejects the package. Once approved the package is then made available to the organization

Protecode System 4™, with the addition of CA, ensures that unwanted open source or third party code is detected as early as possible in the software development lifecycle, reducing costs and time of fixing compliance issues before the product is released to the market.

Stay tuned next week for a video demo of CA.

View the CA Datasheet.

A new way to ensure open source license compliance: SPDX

Earlier this week at LinuxCon a new way to ensure license compliance was released. Sponsored by the Linux Foundation, the SPDX workgroup announced the release of version 1.0 of the Software Package Data Exchange (SPDX) standard.

SPDX is the result of a collaborative effort to create a standard format for communicating the components, licenses and copyrights associated with a software package.

The release of the SPDX specifications marks the industry and the open source community coming together to fill a need. This standard will revolutionize the way third party software and in particular open source license management is done.

SPDX will enable more organizations to freely use open source software in their products and streamline the license compliance process.  

As a member of Linux Foundation, Protecode has been working with the SPDX standard body to make System 4™ fully compliant with the SPDX 1.0 standard, launched today by the SPDX workgroup.

The ability to read and generate SPDX information by System 4™ eases license information exchange across the software supply chain, and allows for a simpler license compliance process.

Learn more about SPDX.

Learn about SPDX support in Protecode System 4™.

AGPL and the cloud: what are your obligations?

Affero GPL and Cloud Applications

The Affero version of GPL (AGPL) license, issued by Free Software Foundation in late 2007, goes one step further, extending the GPLv3 rules to applications that are not distributed. These include software developed mainly for in-house applications and software deployed in web-services or cloud applications. Specifically, if the software deployed in a cloud application contains, in its entirety or modified form, any AGPL-licensed software, the source code for the entire running application must be made available to the community.

AGPL obligations, in summary are the following:

• Freedom of use - no license fee to use, modify, redistribute.
• Copyleft  - reciprocal usage & disclosure/permission requirements.
• Source Code Provision requirement – source code must be provided with any distribution (propagation) of code (original and modified).
• Modifications are allowed, but all modified files must have their source code freely available for use and modification by others.
• Combination with other code is NOT permitted unless the other code is compatible or can be converted to GPL terms [copyleft].
• Anti-Circumvention Protection - no code covered by GPLv3 may be included in or constrained by any anti-circumvention mechanism (technical or legal).
• Software Patent License Grant - a software patent that is based in any part on GPLv3 code and distribute the product, you are deemed to grant a license to use, modify and redistribute that patent to all downstream users of the product.
• “Tivo-ization” clause - if your product (that uses or is based around GPLv3 code) is bound by other licensing terms that are restrictive or otherwise incompatible with GPLv3, you may not convey (distribute) the product.

Certain versions of popular web applications such as SugerCRM, Launchpad and PHP-Fusion are licensed under AGPL.

Last word…