Posted by Protecode Inc. on Wed, Feb 22, 2012 @ 09:15 AM
An Industry in Transformation
The telecommunication industry is transforming rapidly: from providing voice and basic data services towards a much broader set of services with flexibility of adaptation to customer desires and market opportunities. Communications services providers (CSPs) are investing to serve the hyperconnectivity needs of evolving ecosystems of diverse applications for users and devices: increasingly mobile and interacting ever faster and in more complex ways.
The pace of this transformation towards hyperconnectivity services is driven by the rapidly growing number and categories of devices. These range from smart phones, eReaders, and tablets to connected vehicular systems, environmental sensors, smart tags, and many others. The devices enable highly distributed, responsive, and ever expanding range of applications such as: digital media, gaming, enterprise management, ePayments eHealth, smart-grid, clean-tech, and machine-to-machine. The growing usage of social networking in, and across, many application domains is an added driver for hyperconnectivity, and customer engagement.
Cloud Computing in Telecom
The cloud computing service model is further adding to the pace of this transformation as it delivers application platforms with compelling advantages: time-to-market, operational economies of scale, capital cost reduction, and mobility support. The cloud model is creating new opportunities for service providers to offer application-driven service packages, service level agreements, and elastic resource allocation for demand-based services with real-time billing.
The telecommunications industry is dealing with the increasing complexities of this transformation, within a competitive environment that creates strong pressures for agility and innovation in services while controlling costs. Equipment vendors who supply the CSPs with products and services, especially given the global nature of their competition, face even greater and continuous pressures for cost-conscious agility and innovation to overcome the commoditization trap. At the same time, the major source of growth for the equipment vendors is in emerging markets where massive scale at low costs is a fundamental requirement.
Implications for software development
The transformation towards the hyperconnectivity services business model creates tremendous opportunities for CSPs and their equipment and service vendors. To address the opportunities, though, it also creates significant challenges for the required software systems:
- Complexity: More systems need to work in concert in order provide broader service solutions for the hyperconnected users.
- High agility: The solutions need to be highly configurable for particular usage and business contexts in order to minimize software deployment complexities. At the same time, as unanticipated requirements arise, the software addressing them needs to be developed, and deployed in time frames for very competitive markets: weeks rather than months.
- Cost-sensitivity: While the number of devices, their interconnections, bandwidth requirements, and communications service sophistication are growing exponentially the related revenues grow linearly within the challenging global economic context and competitive pressures.
- Massive scalability: Incredible increases in the number of devices per user (e.g. laptop, smartphone, tablet, camera, health monitor) and many devices that don’t have individual users (e.g. environmental sensors, smart tags.) add to scaling requirements, as well as the ramp up in users and devices in the emerging economies.
Given the above challenges, the industry is responding with software lifecycle strategies that include:
- Specialized Components: With the increasing complexity of the software systems, delivery of functionally specialized components improves the ability to provide dependable solutions which can be refactored for different and evolving market needs. These components are developed in-house, out-sourced to 3rd party development, or obtained from 3rd parties. Open source software is increasingly used in all three cases.
- Integration: In conjunction with the above strategy, there is a need for creating comprehensive solutions from a large number of specialized components. Some of these components are combined to provide a product or a solution by a single vendor. However, the products and solutions from each vendor also need to be integrated across both standard and proprietary interfaces. There is the need to integrate new additional solutions into existing environments.
- Continuous Evolution: Given the need to constantly address market opportunities, standards and regulatory evolution, software components and their integration are being designed in such a way to allow change while protecting investment by utilizing as much of the existing software base as possible.
- Business Consolidation: Early stage innovators start up to address niche market opportunities and grow. And, CSP and their vendors merge or acquire other companies for growth and to more strongly address their markets. Business M&A entails integration of complementary software components and systems into more powerful solutions, as well as consolidation of over-lapped solutions to control cost and complexity. Software assets are a significant valuation consideration in most M&A deals in the industry, and open source software should be managed to provide a positive impact on the valuations, rather than introduce business risks.
Next week’s post will go into greater detail on how open source is used and how it should be managed in telecom development.
Posted by Protecode Inc. on Fri, Jan 20, 2012 @ 09:07 AM
Open Source License Type and Impact on Valuation
Licenses that cover open source code carry unique terms that have implications on code use, modification and distribution. For example, some restrictive open source licenses (known as copyleft licenses) require users that distribute modified programs to make source code available to downstream users free of royalties. The failure to comply with license obligations can lead to severe consequences, including being forced to come into compliance by releasing the asset’s source code, or paying damages. Infringement suits also result in a loss of goodwill affecting client relationships, distribution partnerships, and consumer confidence, which further diminish exit sale price.
The fact that target companies may be unaware of the incorporation of open source in their technology further complicates the valuation exercise. Factors including easy accessibility of open source software by resourceful developers, increasing reliance on third-party developed code, and the rise of software outsourcing and offshoring have resulted in a loss of control over the composition of code incorporated in software. Receiving inaccurate information regarding code composition renders the investor vulnerable to costly license infringement litigation.
Options to Consider
Because open source code could be incorporated in an asset without the knowledge of the target company, it is critical for the investor to independently confirm the status of the asset rather than rely on the portfolio company’s representations and warranties. This can be achieved through engaging competent external resources that can analyze software assets in the following ways:
- Scan source code to identify open source and third-party code embedded in software
- Compare the identified licensing or ownership attributes against the company’s licensing policies
- Detect license violations and incompatibilities
Once the assets are effectively analyzed, the portfolio manager can work with management to develop strategic solutions, positioning the investor to achieve optimal exit value. Questions to consider include:
- What functions do the open source components perform in the product?
- From a cost and/or strategy standpoint, is it more efficient and effective to:
- Become compliant with license obligations?
- Replace open source components in the product with open source code that carries more permissive license terms?
- Remove the open source components and replace them with commercial or proprietary code with similar functionality?
- Remain non-compliant and assume liability (qualify and quantify the liability)?
A cost-benefit analysis of each of the above options would include the impact on short term and long term business, cost of the effort to change, and potential delays to the transaction as a result of the changes.
Open Source Impact on Valuation is Manageable
The emerging mixed-source development environment calls for consideration of the unique value enhancing and potentially diminishing implications attached to open source. While in many cases, the presence of open source amplifies the value of technology, there are instances in which the license terms associated with the open source components diminish the core intrinsic value of the asset under consideration. Through performing effective pre-investment due diligence to identify the presence of open source, and engaging in simple but systematic post-investment asset management, portfolio managers can achieve optimal exit value on their investments.
Learn more about the 6 most popular open source licenses and their obligations.
This article was written by Diana Cooper, legal researcher for Protecode.
Posted by Protecode Inc. on Fri, Jan 13, 2012 @ 09:28 AM
Despite the volatile economic environment, 2011 has been good to the technology sector. Forrester and Gartner forecasts a 7% increase in technology spending for the year. PwC US technology M&A insights similarly projected a positive outlook, crediting strong performance to the sector’s “ample cash balances, inexpensive debt and previously established strategic objectives.” The software industry is leading the pack, capturing $2 billion in venture funding in the third quarter, representing the highest level received by any industry. The third quarter also delivered the highest deal volume for the industry, with 263 rounds completed. Golden Gate and Infor’s $2 billion buyout of Lawson Software, and Providence Equity Partners’ $1.9 billion bid for SRA International ranked among the most notable private equity acquisition announcements in the technology sector.
Difficulty of Software Valuation
As these figures suggest, confidence in software has grown by leaps and bounds since the early 1980s when critics were doubtful of software’s inherent value. The genesis of software valuation only dates back to 1985 when the Supreme Court ruled in Digidyne Corp. v. Data General Corp. that software was valuable independently of the hardware that it attached to. While the ruling ended the debate surrounding the exploitability of software, the fast-paced sector that is no stranger to game-changing innovation presents continuing valuation challenges for appraisers. Technology investments carry unique risks, not the least of which is the looming possibility of the emergence of disruptive technologies (think connected tablets, peer-to-peer communications, cloud computing). At the same time, technology investments also carry potential for huge returns, including unexpected profits linked to the commercialization of killer applications (think Twitter).
The rapidly changing landscape of technology requires investors to be particularly attuned to industry trends and developments in order to assess the risks and rewards attached to assets under consideration for investment. This may prove to be a more difficult task for financial investors in comparison with their corporate counterparts.
A study of 1,441 European firm acquisitions in the period of 1997 to 2003 revealed that financial investors systematically overvalued their targets in relation to strategic acquirers. The results were linked to knowledge asymmetries that exist between strategic and financial acquirers. While corporate investors benefit from knowledge developed through their own R&D, financial investors tend to lack specialized knowledge due to portfolio diversification and avoidance of industry concentration.
Software Valuation and Mixed Source Software
An important trend to consider in software valuation is the increasing reliance on mixed-source solutions. Mixed-source refers to the combination of proprietary and open source code in a given technology. In 2010 open source was leveraged within 75% of Global 2000 companies. According to Gartner, this number will be increased to 99% by 2016.
This trend is echoed by the 451 Group which reports that free and open source software (FOSS) “is embedded in proprietary products and commercial extensions have been added to FOSS… The line between proprietary software and open source software is becoming increasingly blurred to the extent that in many cases it is difficult to tell the difference between the two.” Even Microsoft, which previously characterized open source as an IP destroyer has adopted mixed-source solutions in recent years, most notably in its collaboration with Novell.
While open source is increasingly embedded into software, there is a lack of clear understanding of the implications of open source on asset value, and valuation guidelines have not been established. In addition to relying on traditional technology asset valuation methods, appraisers must consider the unique dynamic impacts of open source. Open source enhances asset value through delivering time and cost efficiencies in the development-to-market stages, lowering total cost of ownership, and promoting vendor independence. However, open source could also have a diminishing impact on asset value. Because some open source cannot be incorporated into products that have trade secret value, investors of mixed-source technology may face limitations in achieving optimal exit value.
Stay tuned next week for part two to find out how open source impacts valuation and how it can be managed.
Learn more about how open source software impacts your company.
This article was written by Diana Cooper, legal researcher for Protecode.
Posted by Lacey Thoms on Wed, Nov 23, 2011 @ 08:07 AM
The most recent version of Protecode System 4™ is Version 4.5 which contains the following improvements and:
Security vulnerability reporting:
Once external software content is identified, Protecode System 4™ reports on any known security vulnerabilities as identified by common security vulnerability databases such as NVD.
Library Auditor (LA) integration with Git version control system:
Protecode Library Auditor now integrates and supports Git for real-time analysis and management of software attributes. Git joins other platform integration capabilities of Protecode System 4™ such as SVN, Perforce, ClearCase, etc.
LDAP integration for importing users:
Protecode System 4™ management is simpler by using the established LDAP infrastructure for defining users, assigning roles, and managing access to the analysis capabilities.
Export control (ECCN) reporting:
Once external software content is identified, Protecode System 4™ reports on any known Export Control Classification Number (ECCN) associated with the external content.
Encryption properties reporting:
Protecode System 4™ can identify common public-domain encryption software files, even when they are modified, and highlight them in the scanning reports.
Integration with Code Administrator™ (CA) to support a software package approval workflow:
Code Administrator™ now supports form-based package request and approval workflow, sharing the Pedigree Database with all other components of Protecode System 4™.
Language Support Extension:
Protecode System 4™ now supports Korean and Japanese languages for all its user interfaces and reporting.
Posted by Lacey Thoms on Thu, Sep 29, 2011 @ 08:27 AM
Marc Andresssen, cofounder of Netscape and the key investor in LinkedIn recently announced that “Software is eating the world”. There are more instances of embedded software in the world today than any other type of software combined. It is the heart transport, safety, health, food, agriculture, defense, entertainment and therefore virtually every sector of industry that one way or other touches our everyday lives.
Complexity of software design within the embedded space has increased exponentially. In a way it has mirrored and followed the way gate complexity in integrated devices has doubled every 18 months in the last forty years. The growth in code complexity has overlapped the change in business dynamics of our interconnected global market. Demands for shortening product development times, increasing functionality in products and reducing development costs has led to an increase in outsourcing, contracting, and code-reuse. Open source software, the ultimate manifestation of code-reuse, has become a key enabler of today’s competitive embedded market.
From the first GNU in 1983 to invasion of the whole IT stack by 2011, open source has penetrated every facet of software development. Such desirable attributes as faster time to market, lower development cost, better security, peer-reviewed quality, variety, zero licensing cost and multiple sources from mostly reputable suppliers are some of the reasons where open source has become the software of choice for over 40% of embedded projects.
Better known examples of open source software targeted for embedded applications include Android (in everything mobile and increasingly non-mobile), embedded Linux and other open source Real Time Operating Systems (RTOS’s), Qt User Interface (UI) used in phones and PDA’s and refrigerators and industrial control systems, and roughly 100,000 other projects that cover everything from communications stacks, web browsing, user interfaces, remote management, embedded databases, audio and video codecs and even virtual machines (as in Java virtual machine).
However , the advantages of open source software can only be realized if its adoption is managed. Open source software invariably comes with obligations that are represented in their associated licenses, copyrights, security vulnerability notices and export control classifications. Failure to understand and respect these obligations has repercussions that are similar to those due to shortcomings in product quality. Embedded devices such as consumer products are distributed in volume, and any impairment in quality, or in meeting licensing obligations, can be very costly in the field.
Project-level or organizational policies usually frame the acceptable terms and obligations. Although some may find it difficult to admit, today’s resourceful developers do not write code from scratch. They know where to get code and enhance it with their own creativity. It is unreasonable and impractical to expect developers to be aware of, and manage, code obligations as they create software under tight schedules. Increasingly, organizations are deploying practices that allow managed adoption open source in projects, shortening development intervals and reducing development costs.
A survey of more than hundred technology organizations, from large multinationals to small technology firms of less than 50 people has indentified the best practices used in embedded industry for leveraging and managing open source software. Establishing license policies, adopting package pre-approval processes, creating a baseline of the existing inventory of software, regular software analysis in real-time and at build-time, before the final product is shipped to the market, are some of the steps deployed by the embedded industry.
For more information on manageing open source in embedded software read our Open Source Software Adoption Process.
Posted by Lacey Thoms on Thu, Sep 08, 2011 @ 01:47 PM
Protecode's new Code Administrator™ is an extension to System 4™ which allows for the pre-approval of software packages before they are introduced into development environment.
View the demo video:
Posted by Lacey Thoms on Thu, Sep 01, 2011 @ 08:24 AM
Assessing, and approving third party or open source code before it is introduced into the development environment is an efficient way to ensure license compliance. Protecode recently announced the launch of a new tool, Code Administrator™(CA), that facilitates a software package pre-approval process.
CA is another workflow capability, and step two in Protecode's Open Source Software Adoption Process, that further simplifies license compliance management in any organization. With CA, a user can request that a package be approved by submitting detailed information about the package and how it will be used within the organization. The request is then logged and its status is tracked. An administrator performs an audit of the requested package using Protecode Enterprise Analyzer™. If the package does not conflict with the organization's established licensing policies the administrator either approves or rejects the package. Once approved the package is then made available to the organization
Protecode System 4™, with the addition of CA, ensures that unwanted open source or third party code is detected as early as possible in the software development lifecycle, reducing costs and time of fixing compliance issues before the product is released to the market.
Stay tuned next week for a video demo of CA.
View the CA Datasheet.
Posted by Lacey Thoms on Fri, Aug 19, 2011 @ 10:20 AM
Earlier this week at LinuxCon a new way to ensure license compliance was released. Sponsored by the Linux Foundation, the SPDX workgroup announced the release of version 1.0 of the Software Package Data Exchange (SPDX) standard.
SPDX is the result of a collaborative effort to create a standard format for communicating the components, licenses and copyrights associated with a software package.
The release of the SPDX specifications marks the industry and the open source community coming together to fill a need. This standard will revolutionize the way third party software and in particular open source license management is done.
SPDX will enable more organizations to freely use open source software in their products and streamline the license compliance process.
As a member of Linux Foundation, Protecode has been working with the SPDX standard body to make System 4™ fully compliant with the SPDX 1.0 standard, launched today by the SPDX workgroup.
The ability to read and generate SPDX information by System 4™ eases license information exchange across the software supply chain, and allows for a simpler license compliance process.
Learn more about SPDX.
Learn how to manage open source software throughout the software development process read our 8 step open source software adoption process guide or watch the video.
Posted by Lacey Thoms on Fri, Aug 12, 2011 @ 08:34 AM
Affero GPL and Cloud Applications
The Affero version of GPL (AGPL) license, issued by Free Software Foundation in late 2007, goes one step further, extending the GPLv3 rules to applications that are not distributed. These include software developed mainly for in-house applications and software deployed in web-services or cloud applications. Specifically, if the software deployed in a cloud application contains, in its entirety or modified form, any AGPL-licensed software, the source code for the entire running application must be made available to the community.
AGPL obligations, in summary are the following:
- Freedom of use - no license fee to use, modify, redistribute.
- Copyleft - reciprocal usage & disclosure/permission requirements.
- Source Code Provision requirement – source code must be provided with any distribution (propagation) of code (original and modified).
- Modifications are allowed, but all modified files must have their source code freely available for use and modification by others.
- Combination with other code is NOT permitted unless the other code is compatible or can be converted to GPL terms [copyleft].
- Anti-Circumvention Protection - no code covered by GPLv3 may be included in or constrained by any anti-circumvention mechanism (technical or legal).
- Software Patent License Grant - a software patent that is based in any part on GPLv3 code and distribute the product, you are deemed to grant a license to use, modify and redistribute that patent to all downstream users of the product.
- “Tivo-ization” clause - if your product (that uses or is based around GPLv3 code) is bound by other licensing terms that are restrictive or otherwise incompatible with GPLv3, you may not convey (distribute) the product.
Certain versions of popular web applications such as SugerCRM, Launchpad and PHP-Fusion are licensed under AGPL.
Last word…
Just like traditional software, it’s important to know what is in your code as early as possible before it goes to market. As with all quality management processes discovering your license obligations early in the development process reduces the cost and time spend fixing problems right before the product is released. Many cloud applications are not distributed, and therefore do not fall under obligations associated with many copyleft licenses, except the recent ones such as AGPL. To gain a clear understanding of third party components and their license obligations a process must be put in place where external content is identified, tracked and managed. This can be done within a structured open source adoption process, either manually, or increasingly deploying automated tools.
Posted by Lacey Thoms on Fri, Aug 05, 2011 @ 08:44 AM
The last post discussed how many cloud applications do not fall under many of the obligations associated with copyleft licenses. Let’s take a look at the obligations of copyleft licenses as well as public domain and permissive licenses.
The variety of licenses currently governing the use of open source software is very large, but about 80 or so are recognized by the Open Source Initiative (OSI) and in reality less than two dozen are widely used. Almost all open source licenses can be widely categorized into three varieties.
• Copyleft licenses have more or less protective (also referred to as restrictive) terms associated with them.
- Weak copyleft licenses include Eclipse Public License (EPL) and Mozilla Public License (MPL). They both allow modification and mixing of the open source code with proprietary code, as long as you make the non-modified open source code available somewhere on line and point to it in the documentation. LGPL (Lesser GPL) license is strongest in this category since it requires modified code to be also released in the source form unless the application only links to the open source LGPL code and does not statically include it in the application.
- Strong copyleft licenses, such as GPL version 2 and version 3, impact software that is distributed. Almost all of these licenses require that any software using all or part of a copyleft open source software to be also released under copyleft obligations (hence the term viral used for these licenses). Another key obligation is that any proprietary code that is a modified version of the GPL code must be made available in source form. Also, GPLv3 specifically disallows use in its entirety or modified form in any DRM applications.
• Public domain licenses are basically free-for-all licenses; you can do anything with them except suing the author.
• Permissive licenses (such as MIT, BSD and Apache licenses) on are very popular, as they can be modified and used in any open source or proprietary application as long as the attributions (copyright comments and the names of original authors/organizations) are not deleted.
Next week I’ll discuss the licensing requirements of using the AGPL license in cloud applications.