Intellectual property issues have become a paramount concern in software development projects lately, with a great deal of the angst arising from the use of open source software. Forging a business model to address this problem, Black Duck Software (http://www.blackducksoftware.com/) provides a platform to identify intellectual property during the software development process. InfoWorld Editor at Large Paul Krill spoke with Black President and CEO Douglas Levin, a former Microsoft executive, about Black Duck and issues pertaining to intellectual property and open source.
Could you explain the services that Black Duck offers?
We are not a really a services company, we're a product company. Black Duck offers a collaboration platform that enables companies to identify their intellectual property during the software development process. It's designed to accelerate software development and enable companies to reuse more software safely and under controlled conditions. The name [of the platform] is protexIP/Development. We have two versions of it. One is for the enterprise, which is a multi-user, multi-role, and multi-site deployment, [and there is also] protexIP/Development Professional Edition, and that's for a single user at a single site. Those are on-premises solutions. So they are installed on a server at the enterprise site. Alternatively, we have an on-demand offering ... hosted and accessible through the Internet.
There's also the open source angle to it. Could you elaborate on that?
There is an open source angle, but equally important, there is a binary or a proprietary software angle. Basically, software is increasingly being developed with components in oftentimes a distributed manner. So the components could be open source components, but they could also be third-party binaries. And they could be JAR [Java Archive] files that are being added to the code. If they're open source components, there oftentimes [is] a large group of them. So it could be two or three components, or there could be an open source segment that is many lines of code, or a code tree, which is a huge number of lines of code. Or it could be open source snippets, which could be two or three lines of code. And so oftentimes an entire solution may have a combination of open source plus proprietary code. Proprietary code could be from a standard software developer, like Oracle or another company, which develops proprietary software. Or proprietary code could be homegrown software developed in-house by the enterprise. And so code is now basically layers: multiple layers of in-house code plus third-party code plus open source code. And what we're able to do is differentiate all of that different code in the software in source code ... to identify intellectual property.
Why do you see this as a growth area?
We are finding two major growth areas. One growth area is in the enterprise, where there are lots of companies that either want to use more open source software and third-party code in conjunction with their in-house development or what they want to do is review the code that they've already developed and find either accidental or intentional uses of open source code that they don't know about. Or they're checking the licensing for their third-party code. So one growth area is software development in the enterprise, and that is substantial, and I'll give you a little bit of data about that after I describe the next growth area. The next growth area is in the area of due diligence for financial transactions, which are mainly funding by VC or M&A transactions. And the growth on both sides -- the enterprise as well as the financial transactions -- is very significant. We're finding that the numbers of companies who are seeking the on-demand solution, which they typically use for financing and M&A, are a steady stream of companies that are reviewing their code. Or the companies that are financing them are reviewing the code. Or the companies that are purchasing them are doing the analysis. So there are different parties involved with the on-demand application. Whereas, with the enterprise application, we are seeing some substantial growth there -- and this is among Global 2000 companies, who are increasingly realizing their software assets are things that they have to evaluate thoroughly for third-party ownership or IP, which is associated with the open source world.
Could you talk about the secret sauce that basically is the key to your product? What differentiates it and how does it work? And, could you tell me when the company was founded and how many clients you have at this point?
Well, I'll go in reverse order. We were founded of December 2002. We first shipped in May of 2004. So we have two-plus years of shipment. In fact, we had our two-year anniversary party. We [have] shipped protexIP to more than 200 customers, I don't know the exact number, but it's well over 200 customers. And we've had 300 percent customer growth in the last year.
How does your product work?
For the enterprise, the most important consideration is a configurable IP. What I mean by IP of course is intellectual property, [a] policy management module, which permits or prohibits components and licenses. Plus, there is an advance code identification module, which uses a number of techniques, and this is related to your question about secret sauce. It's snippet-matching, file-matching, string search, and dependency analysis, which all go into an analytical engine that automates license identification and IP analysis.
Who are some of your biggest customers?
Well I don't know [who] the latest referenceable customers are, and we can definitely get back to you on it, but we've named some if them. [They include] the Navy, Samsung, [and] we have a couple of banks.
Who do you consider to be your biggest competitors? Companies such as Palamida (http://www.palamida.com/) or OpenLogic (http://www.openlogic.com/index.php)?
OpenLogic is not a competitor, they're a partner.
OpenLogic sells a pre-configured stack of open source components, and we provide all the IP identification characteristics. What they do is certifying and testing and configuration of stacks. SpikeSource (http://www.spikesource.com/) is also a partner of ours. They are not competitors.
How do you partner with SpikeSource?
Those two stack vendors have different approaches to the market. So OpenLogic appeals to the enterprise, SpikeSource appeals to the middle market. And what we've done is we provide an automated solution to SpikeSource, and what we do is we jointly call on enterprises with OpenLogic. So [it is] two entirely different approaches to the market, and because of the flexibility of our platform, we're able to offer these partners different ways of engaging with their customer base.
That leaves Palamida. I think they are a competitor. Correct?
I would characterize them as a competitor, but not our primary competitor.
Who would your primary competitor be?
In-house solutions cobbled together by companies. We frequently go into banks in New York City, manufacturing companies in the Midwest, companies in Europe, and various other places all over the world, and what we find are cobbled-together solutions. We don't find Palamida. They're not even mentioned. There are companies that have mentioned Palamida in California, but they're relatively few. Palamida is a scanning tool. It is a small company in comparison to Black Duck. We have literally hundreds of customers, they may have a few.
How many companies today are at risk because they unknowingly use -- I mean there's no definite number of course -- but how many companies would you say are at risk because they unknowingly use proprietary software code in an open source fashion without proper permissions?
Typically, larger companies that have large groups of developers are more at risk than smaller companies. And the reason why is because with larger companies, you have a larger span of control that you have to maintain over the developer group. Also, larger companies have a tendency to outsource to areas like India or China and other places who don't respect intellectual property as much as the U.S. does or other countries, like European countries.
So would you say that outsourcing to other lands is an issue. What could happen to a company that unknowingly uses somebody else's software?
Well, one of the risks is that if there's a proprietary software company, that the proprietary software company comes back and demands new license payments. Also, the terms of the proprietary software company oftentimes explicitly call out that it's prohibited to combine open source with that proprietary software company's code. Alternatively, with open source licenses, if you don't use them properly you could be identified on Slashdot (http://slashdot.org/) or t he FSF (http://www.fsf.org/), the Free Software Foundation. You could be involved with discussions with them.
How would somebody find out if you're using software that you're not supposed to, other than a disgruntled employee? How would somebody get caught, whether they're doing it knowingly or not?
Disgruntled employees are one of the sources. Typically, those are the people who identify those companies on Slashdot or other sites, maybe in their blogs. The other way is reverse-engineering. So there's a whole group of cases that have been brought by a guy named Harald Welte, who is a guy who maintains a site called gpl-violations.org (http://gpl-violations.org/). And I forgot -- I don't know the exact number of cases that he brought, somewhere in the neighborhood of 12 to 17 cases, mainly GPL-oriented and mainly involving embedded software, where he reverse-engineered the software, rather the hardware and software in some cases. And he was able to identify the GPL in there. So he's brought the litigation in German courts, but there's also been litigation in Danish courts, in Korea, and there have been several cases in the U.S. So the answer to the question is, Usually it's reverse-engineering. Sometimes it's disgruntled employees. Sometimes it's literally source code that has been shared in OEM cases or in other cases and the company just unknowingly did it. And the final thing is that a lot of times the software is identified as a matter of a due diligence during the course of financial transactions. And it does affect the price of the ultimate deal, or it has in the past. The reason why it's less so today is because increasingly companies are using Black Duck on-demand in their financial transactions.
Your services would cover companies that are selling software or just developing it in-house for their own use, correct?
Yes, the whole world of enterprises using it for in-house purposes, as well as [a] separate world of software developers, technology companies, embedded software developers, that whole group, who are either reselling software or selling their companies or financing their companies.
How far do you think the paradigm of open source, with users paying nothing to license software, can go before it kind of acts like a generator on a car where people stop producing software if there's maybe not so much money in it?
Well I think it's going to go very far. I think that the next phase in free and open source development is an expansion in the enterprise space, where companies get together, sometimes competitors, get together on open source or free and open source projects. And they solve a problem that [is] nagging at them. The pain point may be, for example, a bunch of automobile manufacturers coming together to address a supply-chain application or a supply-chain software solution. Or a bunch of manufacturing companies working together to address a particular software problem in the hardware of a drill press that they're all using, and that the company has either gone out of business or they're not using that particular model and those companies want to continue to use that model. So there are a myriad number of applications out there that are not necessarily commercial, which are possible and necessary, which are not being addressed by vendors today. And that's where the great growth is going to be in the next couple of years.