As a software company, it is important to protect the integrity of your most valuable asset — product and code. Understanding and complying with your open source licenses is a necessary process. However, companies often have a delayed start for compliance concerns and rely on last-minute manual audits when a diligence situation arises.
Manual auditing is a natural starting point until cost inflates quickly, making it difficult to scale and maintain. The problem is sticky — the more you grow and rely on manual audits, the more significantly cost affects your organization. Depending on the experience or expertise level of your auditor, you may also be getting different milage for accuracy, risk reduction and consistency — all of which lack transparency for you.
Adopting an automated and integrated tool is a great way to ensure that compliance reliably scales with predictability and low costs.
Hidden Costs of Manual Audits
In a large software organization, staffing is by far the greatest cost. An effective way of evaluating any tool or process is to measure it in accordance with employee hours it costs and/or saves.
The base cost of auditing tools and services are generally quite high — you may be paying anywhere from $20,000 — $200,000/year just for a tooling license. However, these costs pale in comparison to the hidden time cost of auditing practices for your team.
To start off, your team first has to:
- Manually create component reports by consuming audits, services or developer hours
- Train themselves to understand and process the audit output, and establish a process to fill in missing information/retain changes
- Assemble copyright headers across deep dependencies for NOTICE files and attributions, then integrate into docs/website
And as the initiative grows, your costs start to scale non-linearly due to management overhead. These can include:
- Managing diffs and redundant work between audits
- Create training and policies to onboard your developers
- Manage back and forth communication between audit, engineering, legal teams
Finally, the major costs of a discrete / manual auditing process comes from its affect on your engineering team. By adding human gatekeepers, you can slow release velocity and force expensive engineering-heavy remediations.
Trusting Manual Audits
In addition to time and monetary cost, you will always have the human element applied to the quality and consistency of all these steps, and your ability to track/verify depends on your staff’s discipline in setting up an audit-friendly process.
Manual audits aren’t fast, but that's an expected tradeoff for accuracy – i.e. you hope your human approach would be more thorough. When your superstar-engineer-lawyer-unicorn is running one or two, you can usually trust their understanding of the process and code. However, as your software organization grows, your auditing process will scale in complexity with more products to manage, people involved, etc.
Counter-intuitively, manual auditing does not improve when it covers more ground – it actually gets harder to manage since because it scales in reverse with cost, efficacy and risk.
The gaps and variables that grow:
- Can you trust your developers to give you right answers?
- Do your lawyers understand the technical context of how OSS is used across the company in order to audit the right areas of the code?
- Are you losing any data in between audits from human error?
Your consistency, source of truth, and ability to verify are all variables dependent on how thoughtfully designed and educated your developers are, how educated your lawyers are, and how resistant your organization is against developer culture shifts.
Benefits of Automation
- No room for human error. Programs behave consistently every time, and even if there is an error in how an automated audit is performed, the error is predictable and reasonable to manage and track.
- Audits are continuous. There is no gap in between when your team last had manual resources to perform an audit – compliance work will happen simultaneously with engineering work.
- Centralized, self-audit-able process. Automation allows you to centralize how you control large-scale compliance scans. The best part is that automated audits leave a consistent paper trail, allowing you to audit the process itself and verify findings.
- Lower cost. Automation is one of the only ways you can ensure that you never do redundant work. And especially as you scale, automation is always cheaper than people.
In addition, there are tons of organizational benefits for your engineering team by having an automated and integrated solution:
- You can proactively defense against license violations to prevent costly remediation down the road
- Automation is natural for developers – and saving a few developer hours per release is often enough to fund the cost of implementing automation
Should I adopt a 3rd-party tool?
Your mileage will vary when adopting a 3rd-party tool, but you should consider the following:
- How much time are you losing each release with a manual process?
- How confident are you in your current level of coverage?
- Do you have buy-in from your engineers to implement automation?
- Is your codebase in a state where introducing automation is possible?
If you'd like to learn more about how compliance is automated in the field, schedule a demo with FOSSA: https://fossa.com/demo/