There are many characteristics that qualify a great auditor; some are obvious and some are not. If you are looking for someone with previous experience as an Open Source Auditor, your chances of finding him or her are slim to none. There are few people who have worked in this position, and finding one who is an active job seeker is difficult. Given the challenge of finding a candidate with previous work experience, following are characteristics your auditor should possess.
Inquisitive: Inquisitiveness is a must for any auditor. Much like the curious child who constantly asks “Why?” after every statement, you need an auditor who constantly questions the code he or she is analyzing. With many opportunities for an auditor to be misled during an audit, it is important for a candidate to naturally question what they find. An investigative attitude might result in an occasional wild goose chase, but it will drive the audit to the correct resolution.
Example: Anyone who regularly works with open source software knows that the majority of open source code is reused by other open source projects. Not knowing what is bundled in the code can lead to compliance failure. Some open source projects list what is bundled in the project, but this is not always the case. You need someone to question the little pieces of information, such as a random copyright or a miscellaneous license.txt file.
Tenacious: There are plenty of obvious issues that can determine the length of an audit, from project size to the amount of open source being used. There are also plenty of unexpected issues that arise and can extend the audit duration. While conducting audits, an auditor spends many hours combing through code. It can be challenging to sit down and analyze a 500k-file audit. An auditor with persistent determination ensures an audit project that is completed as timely as possible.
Scrupulous: Many words can be used to describe this trait, whether it is meticulous, diligent, thorough, or attentive; but at the end of the day, you need a person who possesses this trait. An accurate audit demands work at the most granular level. It is not enough to have a person come in and spot-check a handful of files; he or she needs to dig much deeper. An auditor needs to analyze code on a line-by-line basis, and highlight areas for potential copyright infringement.
Example: Imagine a developer is writing code and copies ten lines of open source code into the code he or she is writing. Even those few lines of code can lead to a compliance risk, because the license still applies.
Of the many characteristics that make a good auditor, these three traits are prerequisites for hiring an auditor. A person with these qualities will prove a great asset to the auditing team. He or she will be able to put their head down and get to work searching through source code while making fewer errors and identifying more open source code than someone without these qualities.
Open source auditors (I have met only a handful of others in this field) are all diverse in previous work experience, education, interests and hobbies. That being said, these three common traits exist consistently among those who enjoy this work.
What makes for a successful open source code auditor? Does your organization have the internal resources and talent to correctly scan source code? Have you considered using a scanning governance tool?