Managing 3rd party software

No company today is capable of developing its products in-house without using 3^rd party software. In most cases the process starts from outsourcing the operating system itself, continues with outsourcing specific protocol stacks and user interface engines, etc. These come from vendors which are sometimes called ISVs (Independent Software Vendors), middleware vendors or various other types of manufacturers.I came across Åse Stiller’s guest post on VisionMobile, where he recommends vendors build an end-to-end flowchart of how source codes of their products flow in and out of the organization. Such a flowchart shows insights on certain dangers and restrictions of use.

End-to-end Flowchart

The one important thing I can say is that managing 3^rd party software is crucial. It doesn’t only involve source code or binary libraries and header files, but it also involves the licensing agreement your company has signed and the restrictions associated with them. Some of the questions to ask would be:

1. Can I provide this source code to a subcontractor to work with?
2. For what purpose did my company license this software? Are there any restrictions on the kind of products I can develop with it, or the scale of the product?
3. What are the obligations of my supplier when I encounter problems? What kind of an SLA (Service Level Agreement) do I have with him?
4. Do I need to give credit regarding the use of the software? If so, how/where?
5. Can I expose this source code or its interfaces to my customers directly and effectively, thereby “reselling” what I licensed?

There is also a hidden aspect when using 3^rd party software and that is what 3^rd party software does your supplier use… You might find yourself restricted by his supplies one day.

If these suppliers are in the open community with the incorrect license, you might find yourself with the problem of having to open up your products and giving away your intellectual property.

In my particular business unit, where we mainly license protocol stacks and other SDKs (one can call our unit an ISV in this context), we often receive requests from customers to provide information on our use of open source, free software and 3^rd party components. The reason for this is simple: companies want to be sure they won’t be sued in the future due to source code misuse by their suppliers. It is also why our unit takes particular care when using source codes retrieved from the internet instead of writing it on our own (we almost never do it).

My suggestion?

Build the flowchart like Åse Stiller suggests, but also check your 3^rd parties with two main objectives in mind:

1. Understanding what 3^rd party software they use.
2. Understanding restrictions and obligations are placed on you when using their software.