In June of this year, Robert Westervelt wrote a great piece on how security issues are driving an increased awareness surrounding intellectual property (IP) protection. He also cites an IP study, in which 74% of respondents said their organization was going to spend more to secure electronic forms of intellectual property in 2007 than they did in 2006. Of interest to me was the use of the phrase "electronic forms of intellectual property". I can't be certain but I'm going to assume that Westervelt wasn't talking about IP at the most granular level, i.e., code, but when you and I think about electronic assets, that's most likely how we look at it.
What could be of more fundamental importance to running a business (besides employees) than the applications organizations implement, develop and possibly sell? It's these electronic assets that run the proverbial machine. Making up these applications are the millions of lines of electronic DNA — some proprietary, some not, but all of great value. Code is, at base, the reason for some of the most high-profile lawsuits of the digital age: Qualcomm vs. Nokia , the World vs. Sony's Orwellian rootkits, Finjan vs. Secure Computing , and Facebook vs. ConnectU , among others.
So going back to Westervelt's piece, it makes sense that companies should look to internal policy to both define and protect their IP. Coming up with a comprehensive definition of IP is critical as it encompasses everything from the aforementioned code right on down to the PR strategy. Yet an IP policy alone will do little if you don't have solutions in place to help implement it. Westervelt mentions "code leakage" as a way in which IP exits the company. In our line of work, we unfortunately see too much of this, but it's rarely malicious. Up against strict deadlines developers often turn to the Web for open source solutions to their coding challenges. If someone else has figured it out why re-invent the wheel? Indeed, but pairing that open source snippet with lines of proprietary code could very well make the proprietary code a piece of open source (dependent on the OSS license). The developer decides to re-post the amended open source back to the community Web site from which it came — complete with its proprietary pairings. Developer #2, from a completely unrelated company, downloads this open source for his project and includes it in his organizations' code base. Two separate but equally serious incidents have been created in this scenario. The first developer has now leaked his company's proprietary data to the World Wide Web. The second has now "stolen" a company's IP and included it in his own organizations' code base, inviting legal action, possible derailment of product development and a damaged company reputation. The most fascinating thing about both issues is that they are 100% preventable with proactive code audits. The coding process itself can be effectively tracked with solutions from companies such as Fortify and Coverity , while the intake of code can be tracked using solutions such as ours. So if it's so easy to prevent the problems why aren't more people doing it? My theory is that most companies wait until the 11th hour to do anything about it -- pending acquisitions, litigation, bug investigations. It's one thing to have a policy in place but quite another to get anyone to comply with it.
Speaking of compliance, we use the word quite a lot in our industry. When talking about code audits it's important to delineate between government compliance and internal compliance. The latter of which is only mildly intimidating and if you don't comply, probably won't earn you any six figure fines. Until we see legislation surrounding due diligence at the code level, we will continue to see what I'm going to coin "blindfold development" : if you don't see it, then it doesn't exist and if it doesn't exist, then there are no license or security issues. While we've seen a shift in awareness and understanding, there are still far too many companies drinking from that big ol' well of denial. Is there hope on the horizon? That's a deep question. Turning to the magic eight ball for answers, I gave it a couple of shakes. Just as I thought: 'All signs point to yes'.
--Melisa LaBancz-Bleasdale
