Dr. Paul Martin
Delivering a successful code review for our clients requires planning and preparation, and this all begins with the terms negotiated in the Protective Order (PO). Not only do the terms of the PO create the conditions necessary for a convenient and time-efficient code review, but they can also mean the difference between effective analytic discovery and the failure to find that key element that would be the foundation of a winning case. Investing in the PO negotiation to ensure that the right tools, policies, and procedures are in place to support a rigorous, professional code review is a key first step in every Harbor Labs case.
It is not unusual for opposing counsel to provide hardware that is less than ideal for effective code review. A single small-screen laptop, for example, is a gesture intended only to limit the reviewers’ effectiveness. To the extent possible, the PO should specify an ergonomically correct setup that includes a separate monitor, keyboard, and mouse. Ideally, a two monitor setup is preferred, as this is highly effective in performing complex code reviews, especially in those cases where it is necessary to review and compare multiple code blocks. It is also important that each reviewer on site be provided with their own separate workstation. Resource sharing is another maneuver that can be used to limit the reviewers’ productivity in the time they are allotted, and should be expressly precluded in the PO.
Perhaps the single most critical element of the PO is ensuring that the correct software tools will be available for the review. It is particularly important to establish the software requirements up front, as it is difficult to request them after the PO is executed, and almost never during the review itself. Identify the language of the source code to be reviewed and specify the corresponding viewers and analytic tools for that language in the PO. Also specify the applications that will be needed, including text editors and document viewers, as well as a generic software toolset. Build redundancy in the toolset to ensure availability. For example, have two instances of grep, one in the Windows Subsystem for Linux and one in git.
Printing requirements should also be negotiated in the PO. Identify a page cap that is reasonable for the size of the source code and reject arbitrary limits that might be imposed by opposing counsel. Harbor Labs typically agrees to page limits that correspond to the amount of code to be reviewed, but will also request a “reasonable additional number of printouts” in the PO to account for any unforeseen print requirements. Be sure to include a text editor that allows line ranges to be printed, as this will allow the reviewer to make more efficient use of their page limit.
Whether through oversight or gamesmanship, it can be easy for a PO to contain terms that impose hardships on the reviewer or limit their effectiveness. By weeding out these obstacles in the PO negotiation process, and inserting terms and conditions that increase quality and productivity, Harbor Labs is able to create the conditions necessary for a successful code review.
Related Insights
Why FDA Rejects the Cybersecurity Content of Regulatory Submissions
Harbor Labs Chief Scientist Dr. Avi Rubin identifies some of the most common reasons why the FDA rejects the cybersecurity content of regulatory submissions.
Regulatory Science Meets Cyber Science; Why It’s So Much More than a Pen Test
HarborLabs CEO Nick Yuran distinguishes cybersecurity from cyberscience, and explains why understanding the shared scientific disciplines of regulators and security professionals are important in achieving positive regulatory outcomes.
Medical Device Manufacturer Must Do’s for Cybersecurity
Harbor Labs Director of Medical Security Dr. Mike Rushanan provides a comprehensive outline of the cybersecurity must-do’s necessary to meet regulatory approval. Based on years of experience working with the FDA and other regulatory bodies, Dr. Rushanan’s blog provides insights into the common pitfalls that can disqualify or delay regulatory approvals.