Integrating Open Source Code Management Tools in the SDLC

[article]
Summary:

Developers realize that to meet deadlines may require assembling both proprietary and available open source software components. This article talks about exploiting benefits and managing challenges with reusing code for open source projects, open source code management tools and their integration, and leveraging managed open source software.

The landscape of software development is increasingly reliant on agile methodologies, which require developers to produce high-quality releasable products in shorter development cycles. The onus is on the development managers and team leaders to provide software developers with resources that help them address these aspects, allowing them to focus their creativity where it should be applied: the production of innovative software. Open source code management tools are examples of such resources.

In the age of increased competition and demanding users, companies are under pressure to release high-quality software at an ever-accelerating pace. Software teams are abandoning traditional software methodologies such as waterfall in favor of more modern ones such as agile. The latter allows them to reduce time to market and obtain stakeholders’ feedback earlier and throughout the development cycle.

For developers, adopting agile development means that the pace in which they have to solve problems is sped up as well. Seasoned developers realize that to meet deadlines, they cannot reinvent the wheel. Implementing creative solutions may require assembling both proprietary and available open source software components, especially using the latter for implementing well-understood supporting functionalities such as logging. Developers are becoming more and more reliant on the most popular form of reusability (i.e., copy and paste); just type the right search keywords in Google and you will get a piece of code that is suited for your use and ready to be integrated with your own proprietary code.

Exploiting Benefits, Managing Challenges

There are hundreds of thousands of open source projects available to developers. Reusing code from these projects—or even reusing entire projects—is an acceptable and encouraged practice in the industry, as long as it is understood that although these projects are in the public domain, they are copyrighted and their usage is governed by licenses issued by the copyright holders.

However, code reuse comes with some potential challenges:

  • Infringing on the copyrights of the authors
  • Introducing security vulnerabilities that carry the potential of severe impact on the customers (e.g., the OpenSSL Heartbleed bug)
  • Possible quality issues
  • The presence of encryption functionality that may impact exporting the software as per export control regulations

These challenges need to be carefully managed and mitigated by project managers as early as possible in the development cycle. The risks should be addressed in the same way we deal with risks introduced by software defects.

Defects that are exposed early in a development cycle are easier and less expensive to fix. It becomes extremely expensive to fix a defect if found in the field. For example, there could be a case where developers used open source code with licensing terms that are incompatible with business objectives, and the impairment is caught just before the final product is shipped to the customer. Remedying the situation would not be an easy endeavor, especially if the offending software is used in core functionality and replacement code is not readily available. The copyright holders of the offending code must be contacted for an alternate licensing term, or most likely, new code must be developed. In the latter case, regression testing is needed to make sure nothing is broken with the introduction of the new code, which results in missing deadlines and revenue loss.

In some companies, addressing the challenges outlined earlier will eventually end up being the responsibility of the developers. This is in contrast to the fact that the developers’ forte is technical creativity—they tend to love coding and applying their imagination to solving problems at hand. Sometimes developers are asked to pore over thousands of lines of open source code to make sure that either the code doesn’t contain encryption content that may impact export control regulations, or that the strength and method of encryption is properly documented. Reading licensing terms or cross-referencing code with the National Vulnerability Database for potential security vulnerabilities is not a particular strength found in software developers. In fact, these are rare skills, and compliance groups or software clearing houses in larger companies are always short-staffed and have difficulty finding the right people.

Open Source Code Management Tools

Typically marketed under open source scanning or open source license management tools, these automated applications can report on the presence of open source code in a portfolio and highlight several attributes of the detected open source software. Deep-scanning solutions typically utilize a database of open source and other software, reporting on code similarity between the code being analyzed and the content of the database. Deep-scanning solutions should be able to detect code similarity at a package level, file level, or even snippet level, where a developer may have cut and pasted some lines of code from a website.

Ideally, these automated tools can scan software in binary or source code format, automatically detect and support a variety of software coding languages, and contain open archives for multilevel analysis. The tools can report on the code similarities between the content of a portfolio and public domain software, create a bill of materials, and analyze detected open source projects, packages, versions, licenses and copyrights, security vulnerabilities (as reported by an accredited authority such as the National Vulnerability Database), or presence of encryption content.

Integration of Open Source Software Adoption Tools

Development leaders and project managers are typically tasked with ensuring that products containing open source code adhere to licenses and export control regulation while eliminating security vulnerabilities and assuring the quality of the software developed. The most effective way to manage open source software adoption is integrating open source scanning tools in the different stages of the development process.

I mentioned earlier the importance of exposing software bugs at the earliest stages of the development cycle. The software industry understands this, and it has responded with unit testing frameworks such as JUnit. Open source code management tools are another framework for early compliance, management of quality, and vulnerabilities associated with open source and third-party code. Developers can start using these frameworks as soon as development begins, ensuring that new functionality is implemented correctly and existing functionality is not broken. Increasingly software teams are integrating these frameworks into their development workflow, automating execution of these compliance and vulnerability management frameworks and alerting developers as soon as possible of any issues that are discovered.

Open source license management tools can be integrated at various points in a development cycle, from preapproving code before it is used in development to scanning code in real time as it is being developed. They may be integrated with source code management tools to detect compliance, quality, or vulnerability impairments as the code is checked into the library, or combined with the build processes to report on software composition and code attributes as the final artifact is created.

Leveraging Managed Open Source Software

Most software organizations have come to the realization that the risk of using open source products is significantly less than the risk of being left out of the open source revolution—as long as open source software adoption is managed. The use of open source code has become mainstream in all functional domains of application development, a practice that should be nurtured and encouraged. Software shops need to properly manage the use of this software in terms of its quality, respecting its licenses, addressing any security vulnerabilities, and the potential violation of export control regulations. Development and project managers need to assist developers to concentrate on their main tasks of producing creative software by integrating open source license management tools in the development process.

About the author

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.