Open source compliance: Correction and prevention go hand-in-hand
Posted by Lacey Thoms on Wed, Mar 16, 2011 @ 11:16 AM
I
n the last blog, I talked about software development life cycle in this age of software reuse.
Both software quality and market readiness benefit from, and are impacted by, open source or other third party software. Development practices are evolving in order to stay aligned with the current practices of outsourcing, software reuse and open source or other third-party software use.
This is what we have found from surveying a good number of large and small companies. Best practices for open source management include a number of steps:
- Start with a policy definition (what is acceptable or objectionable in a project),
- include scanning to establish a baseline of what is already in the organization,
- scan for all incoming software, and
- scan before product releases.
Open source adoption processes have been maturing, with preventive third-party code management becoming more and more part of a quality software development process. Automated software assessments at regularly timed intervals are becoming more prevalent than the time consuming practice of scanning software at the end of a development process.
Many organizations are also tying software scans into their Source Control Management (SCM) process. Specific branches of software libraries are associated with automated scanning during the check-in process.
But the ultimate in off-the-shelf code adoption is one where adoption guidelines are managed by the developer. This is at an early stage in a software development life cycle, where the developer actually assesses the fit of the code to the project policies and guidelines. If the problem is not fixed or recorded by the developer in the first place, with a proper open source adoption process in place, the problem will be caught later (although fixing it will be more expensive).
We have already seen static code analysis practices and tools integrated with software development environments. It is only recently that real-time open source management tools, integrated seamlessly with the developer’s development environment, have appeared on the market.
