UK-headquartered Source Code Control Limited provides services ranging from open source software risk management to bespoke cloud transformation recommendations. It has just set up an office in India. In an exclusive interaction with Sreejani Bhattacharyya and Niraj Sahay of Open Source For You, Martin Callinan, founder and director of Source Code Control, talks of how businesses can mitigate the risks that come with creating code, and reflects on the overall state of the open source software landscape.
source Code Control Limited is headquartered in the UK, with offices in the US and Central Europe, and now one in New Delhi too. Companies that develop software for IoT, AI, etc, work with Source Code Control to demonstrate to their customers and partners that their software is less risky.
Modern software uses components and libraries that are already developed and available on the Internet, and can be reused. For example, a developer who has a technical challenge can go to GitHub, download the components and fix the problem. But that can bring risk into the application that is being developed.
The risk is two-fold
There is a two-fold risk in developing software. First, there could be vulnerabilities in the code that is being used off the Internet. These could shift to the application and create a risk for the customer, as the software can get hacked. The second risk has got to do with the value of the software company using the code. Associated with any code is copyright law. The code on the Internet will have a licence associated with it, and there are certain obligations that come with that licence. If these are not met, the value of the company using the source code from the Internet can go down.
Source Code Control works with companies to manage this risk. This is such a big problem today that there is now an international standard for how to manage this software supply chain.
Martin Callinan, founder and director of Source Code Control, says, “We work with both sides of the equation–companies developing software as well as those acquiring software services and solutions.”
Software composition analysis
But how can a developer take care of software licensing and IP while downloading libraries from the Internet? A process called software composition analysis helps here. There are technologies that can scan source code and identify all the copyright, all the licences, third party libraries, version numbers, etc, to see if there are any vulnerabilities in the downloaded libraries. “We build a report called ‘Software Bill of Materials’, which is an itemised list of the makeup of the software,” says Callinan.
So, are developers responsible for intellectual property? Are they solely responsible for security? No, but they do play a role. Source Code Control carries out workshops and helps define rules along with the management — it creates policies and a training programme for developers. A major constraint in the policy would be that developers cannot bring their code with a licence that may lead to obligations in sharing the code. It also includes the requirement to check for vulnerabilities before using a library from the Internet. Technology can be integrated into the tools that developers use, so that an alert is sent when there is an issue with the software being used. According to Callinan, Software Code Control educates and provides technology to automate software development, avoiding copyright risks.
The business risk is only going to increase. There have been some very big security breaches caused by developers using code off the Internet and companies not tracking it. British Airways faced one of the biggest security breaches in recent times, and had to pay a fine of GBP183 million. Due to the use of out-of-date components, customer data from the online portal was leaked. The software developer faced a challenge and used 100 lines of code off the Internet, which had not been updated since 2012. Since these lines of code were not tracked, hackers were able to get into the Web portal and collect the data.
|What is OpenChain?
‘Open’ in OpenChain refers to open source, while ‘chain’ refers to the supply chain of software. Developers build and test the software, and then ship it to the customer. This is just like a production line.The OpenChain initiative tells companies how to manage the quality and delivery of this software supply chain. It trains them on how they need to work to show to the customer that the software they are developing is of high quality. It educates the software company as well as developers on what they should be managing and what they need to avoid.
India is the open source capital
India, being one of the biggest software development countries in the world, is now also being promoted as the open source capital of the world. The Indian government is leaving no stone unturned in promoting open source for all public software. In such an environment, companies that are unsure of code management are at a risk of not acquiring the required investment, leaving the door open for hackers to exploit code. Source Code Control helps to improve the quality of service from the risk perspective.
Due to Covid-19, movement of infrastructure and applications to the cloud has accelerated. Callinan says, “Source Code Control offers a service called ‘cloud economics’, which provides efficient ways of shifting on-premises infrastructure applications to the public cloud without overspending.”
Making companies investor-ready
From the IP point of view, challenges to share source code picked up from the Internet continue to increase. For example, Tesla is a market leader in EVs primarily because of the software it has developed. However, the code it used to develop this software was under a licence that obligated the company to share the source code of its navigation system, even if it did not want to. As a result, competing car manufacturers can now have the source code of Tesla’s navigation system and use the best bits for their navigation system.
“Source Code Control works for companies or people investing in tech companies of any size, who first need to understand what’s in the code of the latter. It brings out a report for the investor indicating the obligations to disclose source code, the vulnerabilities in the code, etc. This is called technical due diligence, and no investor will move forward without that,” says Callinan.
The European Union has a security framework standard for the IoT industry that states that its manufacturers must track what components and libraries developers are using that are off the Internet, along with the version numbers, to see how vulnerable they may or may not be. However, there is no such framework for the Indian software market, which is a challenge for the Indian companies developing software for the globe. They face commercial restrictions since they cannot demonstrate the quality of the software development. Source Code Control provides the required services to manage risks and demonstrate the quality of software.
Lack of knowledge
Globally, and in India, companies don’t have the resources to manage intellectual property or understand the makeup of the software. A few bigger companies may have the resources but not the knowledge. “Source Code Control can help these companies achieve a quicker time to market because it can help them manage these problems. It can help them give their customers the software BoM — the licences in their code,” says Callinan.
Mid-sized tech companies are looking to grow their businesses and seek investments. Source Code Control helps these companies get investor-ready, by ensuring software quality before they meet the investor.
In India, Source Code Control is associated with NASSCOM, as well as with investors and tech communities to help them get an understanding of the open source software challenge.
Callinan says, “I used to work for Microsoft in the UK around licence compliance. The reason why companies became non-compliant with Microsoft technology is because they didn’t have the knowledge to track where the software was installed and where the licence was purchased. I worked through this journey of creating processes and helping educate customers how to manage compliance.”
“Around 2008, I started looking at open source. Back then, it was not very popular. It was only when mobile devices started dominating the market that the whole technology stack opened up. Developers started using open source and sharing code on the Internet. But they are not business people. Nobody was looking at the business risks of the decisions made by the developers to take outdated code off the Internet and bring it to an application.”
“We started this business in 2014 to take the learnings of what happened in managing the compliance at Microsoft and applying it to open source in software developments. When we started, there was no guidance, there was no best practice, no standards to help customers manage that problem. We started the journey to create those standards and define the processes. We got involved with the OpenChain initiative run by the Linux Foundation. It is supported by big tech companies that have come together to figure out how to manage the business risks in the software supply chain. It is now an ISO standard,” he says.
Source Code Control is a partner-friendly organisation looking to develop partnerships with Indian companies ranging from big consultancies to independent software vendors. It is also partnering with GitHub to educate companies with respect to software risks.
Hiring in India
There is a lot of talent in India with knowledge of IP, code and the security issues. Source Code Control has hired ten people in India so far. It is looking for people who have a good understanding of the IP and software development process, particularly relating to the code and open source licensing. A lot of work that is done is data related, hence several data analysts will be needed as the business grows. Graduates are also being recruited whilst building their knowledge.
Many companies from the US and UK outsource software development to India. However, the disconnect between the developers and the business management in a company in India can lead to a major business risk. Source Code Control acts like an interface between the management and developers in a crowded competitive market. Companies that can provide a software BoM have a commercial edge and this also helps mitigate future business risks.
Insurance companies have to consider the worst case situation to quantify the risk due to security breaches. If the company is able to demonstrate that a process for tracking vulnerabilities and managing IP is present in the code, the insurance premiums could be less, leading to a commercial advantage and business benefit.
The evolution of open source is being driven by the changes in technology. Due to Covid-19, many companies in India are moving to the cloud. Two major cloud service providers are AWS and Microsoft Azure, which are in no way more ethical than other service providers in this domain.
It is a commercial strategy of software companies to offer free versions of their technology under an open source licence (example, MongoDB or Elasticsearch). As companies grow bigger, they purchase the commercial licence later. But since AWS has made it so easy to get a free version, many open source companies have had to change or modify the licences of their free software. Elasticsearch recently changed its licensing model and made it mandatory to purchase a commercial licence. It said that in case the free version is used, the source code of everything that is developed has to be revealed, which is not feasible for companies.
The way hackers operate is changing as well. They are putting malware into the code, which is being downloaded by developers into their application and then shipped. Hence when the software is delivered to the customer, hackers can exploit the malware.
Source Code Control can help companies understand and manage these attacks. As technologies evolve, the licensing models will change, which can accelerate commercial risks. Continuous management of the code being developed is what is required.