Susan Courtney, Barbara Frederiksen-Cross, and Marc Visnick, Johnson-Laird, Inc
Forensic software analysts routinely review source code in the context of litigation or internal software audits to assess whether, and to what degree, a body of software uses or references third-party materials. These references may include source code examples incorporated directly into a program, source code routines that are statically linked as part of the program, the use of binary libraries that are dynamically referenced when a program is executed or URL-based citations to third-party materials, such as an article on a website. While third-party materials are obviously invaluable to software development, third-party materials may introduce a variety of legal or security risks into software and expose a company to unexpected legal liability and/or negative publicity. Thus, quality software is defined not just by technical measurements, but also by the presence of a comprehensive set of policies and procedures that help mitigate these potential risks.
We believe it is essential that companies proactively establish a baseline pedigree for their software via a forensic code audit. The successful completion of a forensic code audit represents a moment in time where all known third-party materials are appropriately catalogued, and risks associated with those materials are fully understood by the company’s relevant business and legal stakeholders. But a one-time pedigree analysis alone is not sufficient to prevent downstream problems. A forensic code audit should be part of a comprehensive quality pedigree program that includes a set of well-defined prophylactic policies and procedures surrounding the use of third-party materials. These policies and procedures take into account the entire software lifecycle, including any customer support obligations that may remain once a program is deprecated. A company that proactively implements a quality pedigree program is better positioned to respond to customer requests, react to lawsuits or potential licensing problems, or to justify a particular valuation of their intellectual property in the context of a merger or acquisition.
Building upon the authors’ 2009 presentation, we explore the practical mechanics of a forensic code audit, and discuss the other policies and procedures that can be used to manage a quality pedigree program as a part of your overall software quality plan.
2010 Technical Paper, Susan Courtney, Barbara Frederiksen-Cross, and Marc Visnick, Abstract, Paper, Slides