Soft audit Checklist・No19: OSS/Free software usage technology

19/02/202121/10/2021Audit for soft-Develop..

The second design and implementation checklist is OSS and the third is free software.

In the articles before and after this, we will introduce each item of the audit checklist used for software development audit. The audit checklist is 　divided into ( 1) development process, (2) requirements management, (3) testing, (4) design and implementation , and in this article, (4 ) OSS and free software in design and implementation.

I will introduce each item. (The checklist itself can be found in the article on Software Audit Practice / Checklist No. 17: Development Technology / Design and Implementation (Overview) , so please refer to that.)

Check the quality of OSS ( open source software) with selection rules and market performance

Along with purchasing software that is obtained by paying for others, open source software is increasingly being incorporated into products. The best of these is the Linux OS. Now that connectivity with the Internet has become essential, open source software may be adopted for that purpose. As with purchased software, it is important to check how this open source software guarantees quality. So let’s look at the items whose numbers start with OS- in order.

[Item number: OS-01]

As with purchased software , the first important point is whether the department that selects open software , the selection method, and the selection criteria are decided. We will continue to check whether there are written rules, whether there are customary rules even if they are not written, and whether the selection work is carried out according to the rules.

[Item number: OS-02]

Unlike purchased software, the quality of open source software cannot be ensured by testing by the seller, so it is necessary to confirm the quality based on the operation results in the market. Make sure that the procedure for checking the quality of such open source software is clear.

[Item number: OS-03]

Since we confirmed the procedure for checking the quality of open source software on OS-02, we will check the quality status of the open source software used in the development outsourced this time according to the procedure . Specifically, we will look at the record of the actual confirmation results, paying attention to how much we have confirmed the performance of the open source software in the market .

[Item number: OS-04]

Open source software has various license conditions . Depending on the license conditions, it may not be possible to use it in your product. Regarding the adoption of open source software, we will check whether there are rules for adoption or disapproval organized from the viewpoint of license conditions . Simply put, it is a confirmation of whether or not it is specifically decided what license conditions open source software should not be used.

[Item number: OS-05]

In OS-04, we confirmed that the criteria for judging whether or not to adopt an open source software license are clear. Then, using the criteria of that judgment, we will check who decides who should use open source software at what timing, and whether the procedure of the judgment is clear. ..

[Item number: OS-06]

Depending on the license of open source software, it may be necessary to display the license on the instruction manual or screen, or to provide the source code if requested by the end user. If you are using open source software that includes such license conditions, you need to perform activities to meet the license conditions of this open source software separately from the activities of designing / manufacturing / shipping the product itself. I will come. For that purpose, we will check carefully what kind of mechanism is prepared inside and outside the company.

[Item number: OS-07]

When using open source software, you should also pay attention to how stable the quality is. Basically, open source software is used by many people to find potential bugs and fix them to improve the quality. Therefore, open source software that has just been developed still has many potential bugs, and bug fixes are released frequently. You can guess how often the open source software you are going to use fixes bugs, and just by looking at the status of the last one to two years, the status of quality stability can be inferred. Of such open-source software whether there is a means to check the stability in mind that the sugar will continue to check.

Vendors guarantee the quality of free software, so check carefully

Free software is a big group that includes open source software. However, Gutara’s father defined software in a slightly narrower area as free software . Specifically, drivers provided by chip vendors and software called SDK (Software Development Kit), which are provided free of charge but are not responsible for quality by the vendor, are collectively called free software. ..

In some cases, these software, which are sometimes called sample code , are provided as source code, and the chip is provided free of charge and without warranty, assuming that the company that purchased the chip will modify it as necessary and use it in the product. Provided by the vendor . Therefore, it is the responsibility of the incorporating party to incorporate this into the product and guarantee the quality.

If you use such free software, you need to carry out activities to confirm and guarantee its quality. There are some confirmation items that are very similar to purchased software and open source software, but there are cases where it is necessary to confirm according to the characteristics of free software, and we will check such points one by one in the checklist items.　

[Item number: FS-01]

First , check whether the procedure for selecting free software and deciding whether or not to adopt it is clear. Who will check what items to decide whether to adopt this free software? Do you use the sample code provided by the chip vendor as it is or remake it ? There are various items that need to be considered when hiring, so if you do not proceed with the selection and judgment of whether or not to hire according to the determined procedure, there will be omissions or omissions in the consideration. We will check whether such procedures and standards have been set for free software, paying attention to the points.

[Item number: FS-02]

Free software is software provided exclusively for the chip by the chip vendor, so users are only the manufacturers that use the chip. Therefore, it is not possible to use the method of finding potential defects and fixing them to improve quality by using them in various situations like open source software. The quality of free software depends on how well the chip vendor fixes potential bugs . Therefore, we will check the quality based on limited information such as how much usage record we have and the status of recent version upgrades. We will check the quality of free software by paying attention to the procedure and method .

[Item number: FS-03]

As a concrete example of the method of quality confirmation of free software confirmed with FS-02, we will confirm how much information we can obtain about the operation results in the market that seems to be the easiest to understand based on actual examples. .. This confirmation item is not a confirmation of what the procedure or standard is, but whether or not an effective judgment about quality can be made by looking at the quantity and quality of the information actually obtained according to the procedure. I will check it carefully, paying attention to the points.

[Item number: FS-04]

When free software was just developed by a vendor, there are many potential bugs, so it seems that bug fixes are released frequently. In rare cases, even if there is a bug, a fixed version may not be released so much, but it is better not to use such free software. Well, there are various cases , but the most reliable way to check the stability of free software is to check the frequency of releases and the contents of releases . We will pay attention to the fact that such a procedure has been decided and the activity is actually carried out.