Black Duck On Demand
By: Rob Reilly
Monday, March 28, 2005 09:31:27 AM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/5794/1/
On-Demand Compliance
Black Duck Software is rolling out an on-demand service that will help small companies establish their software compliance processes at a modest cost.
Since manual analysis and remediation has been a time consuming and error prone proposition, many large companies have turned to Black Duck's standalone product line to automate their evaluation of code. The products have ranged from $25,000 on up, making them suitable for the larger organizations.
The company's protexIP/OnDemand Web-based service subscription is easily obtained by credit card starting at $3,000 for a 10-MB code base. This puts open source licensing analysis capabilities within reach of small software development shops, law firms involved in intellectual property litigation and venture capitalists doing due diligence.
"We are expecting thousands of customers to use it," said Doug Levin, CEO of Black Duck Software.
Managing intellectual property risks in software has been a hot topic lately, especially with the coverage of SCO vs. IBM and the outsourcing of software coding to low labor cost regions.
Black Duck's new protexIP/OnDemand product is a Web-based source code analysis solution that uses the same analysis engine and knowledge base infrastructure, as the standalone protexIP product.
A small client program resides on the client machine and creates code prints of the source code being evaluated. The web interface handles the logistics of connecting the code prints to the service center.
Minimal configuration is needed on the client side. Simply point Black Duck at the code tree (path) and it will go to work.
The service center side has two parts:
- A code analysis engine that looks for patterns in the open source/proprietary codeprints.
- A constantly updated knowledge base that checks open source licenses and software origins.
After the source code is analyzed in the service center, the customer has the opportunity to manually evaluate the results. Conflicts and unknowns are flagged and brought to the customer's attention for further investigation. Finally, reports (hardcopy or files) with license violations and obligations can be produced which aid in the remediation of the code, with the ultimate aim of making everything legal.
The client can actually do a side-by-side comparison of their code in one window pane and the project code (as consolidated in the Black Duck database) in the other pane. Proprietary code can also be inserted into the Black Duck database to add to the ever growing knowledge base.
Analysis times vary according to the size of the customer code base, amount of proprietary code involved, and which open source projects are utilized. Levin said that it generally takes less time to perform an analysis than it does to compile that same code.
Levin commented that protextIP could handle 44 different languages including: PHP, Python, C, C++, Java and others. It checks both open source and proprietary code and is platform independent.
Markets For Code Analysis
According to Levin, one of the main selling points of the new service is that it lets customers plan their solutions in advance and integrates open source along side of the proprietary code.
In other words, the customer can evaluate costs associated with using a particular piece of code, from a licensing or obligation standpoint, before it is actually integrated into a product. In the past, these costs have frequently been discovered, after the fact. The situation can make matters very difficult for everyone involved.
Levin also said that there are several situations where customers could use the service to perform due diligence. These include:
- Venture capitalists that want to have confidence in a company's code.
- ISVs, embedded vendors and other technology companies that want to inform their clients about the contents of their code and associated obligations.
- Customer procurement situations when the buyer wants to know what he or she is getting for their money.
- Compliance (Sarbanes-Oxley and other statutory requirements) situations when it's important to document business processes and associated reporting.
- Outsourcers that want to communicate to contracting parties that the software they produce is licensed legally.
The product is also attractive to people that aren't normally associated with code development, like attorneys. No need to buy and maintain a standalone protexIP product when client code is only analyzed occasionally on a case by case basis.
Black Duck Software's protexIP/OnDemand service is available as of March 28th.
Managing your intellectual property risks are very important these days and Black Duck's new protextIP/OnDemand product may just fill the bill.
Rob Reilly is a consultant, writer, and commentator who advises clients on business & technology projects. His Linux, personal branding, and public speaking skills-related articles regularly appear in various high-end Linux and business media outlets. Send him a note or visit his Web site at http://home.earthlink.net/~robreilly.