Friday, May 18, 2007

Home Grown is Not the Best Way to Avoid Rude Surprises

Home grown might work for vegetables, but it doesn't work for code compliance. The case of Google illustrates my point.

Darryl Taft at eWeek interviewed Chris DiBona, the open source programs manager at Google, and posted an informative story and Q&A. DiBona notes he is not currently using Black Duck's products because he has implemented "tight" controls over Google's use of open source components in software development.

I often talk to companies in similar situations as Google's. Black Duck's biggest competition is manual checks -- visual code reviews -- on software development that try to ensure that code is assembled properly. Almost without exception, and even though the internal processes can be very effective, these companies select Black Duck's product after talking to us. Here's why:

  • Manually driven processes don't scale. More and more companies are incorporating Black Duck's solutions to make software governance a standard part of the software development process. In this way, it's automated, and it's easy for anyone involved in the development process, including managers and other executives, to receive a report on what governance issues need to be addressed.
  • Large enterprises in particular are creating their own open source software stacks, and they are implementing them in a standard way across development. I would imagine that the Google developers would love this type of standard (if they have not implemented one already) as a way to streamline their process, and it also assists with those "tight" controls on the use of open source components. A Black Duck solution can be used to ensure these standard software stacks -- including open source, third-party, and proprietary code -- are used correctly within the development cycle.
  • Manual code reviews are not nearly perfect. While software developers feel "closer to the code" as a result of these code reviews, even companies with the best processes and intentions can violate policies and license obligations. We regularly talk to prospective customers that swear they have a foolproof compliance process, only to find "rude surprises" when they do a Black Duck code analysis.
  • Today software development is complex -- more assembly oriented -- and getting more complex. Code made in distributed locations, third-party code, open source code, scripting solutions, and other code is all assembled these days into a great soup, and this is bound to have "rude surprises”.

There are even more reasons why Google and other companies should adapt enterprise-class automated code analysis solutions. But I will write about other examples of Google-like companies in future blog entries.

In the meantime, just remember that home grown code is not always a garden of delights – vegetable or otherwise.