Negotiating a Protective Order for Code Reviews

Jan 26, 2022

Your Protective Order could set the stage for a successful code review and case or a long, arduous process. How do you ensure your analysts have the best access and avoid hardships as they look to help build your case?

Dr. Paul Martin

Director of Firmware Security

Delivering a successful code review for our clients requires planning and preparation, and this all begins with the terms negotiated in the Protective Order (PO). Not only do the terms of the PO create the conditions necessary for a convenient and time-efficient code review, but they can also mean the difference between effective analytic discovery and the failure to find that key element that would be the foundation of a winning case. Investing in the PO negotiation to ensure that the right tools, policies, and procedures are in place to support a rigorous, professional code review is a key first step in every Harbor Labs case.

It is not unusual for opposing counsel to provide hardware that is less than ideal for effective code review. A single small-screen laptop, for example, is a gesture intended only to limit the reviewers’ effectiveness. To the extent possible, the PO should specify an ergonomically correct setup that includes a separate monitor, keyboard, and mouse. Ideally, a two monitor setup is preferred, as this is highly effective in performing complex code reviews, especially in those cases where it is necessary to review and compare multiple code blocks. It is also important that each reviewer on site be provided with their own separate workstation. Resource sharing is another maneuver that can be used to limit the reviewers’ productivity in the time they are allotted, and should be expressly precluded in the PO.

Perhaps the single most critical element of the PO is ensuring that the correct software tools will be available for the review. It is particularly important to establish the software requirements up front, as it is difficult to request them after the PO is executed, and almost never during the review itself. Identify the language of the source code to be reviewed and specify the corresponding viewers and analytic tools for that language in the PO. Also specify the applications that will be needed, including text editors and document viewers, as well as a generic software toolset. Build redundancy in the toolset to ensure availability. For example, have two instances of grep, one in the Windows Subsystem for Linux and one in git.

Printing requirements should also be negotiated in the PO. Identify a page cap that is reasonable for the size of the source code and reject arbitrary limits that might be imposed by opposing counsel. Harbor Labs typically agrees to page limits that correspond to the amount of code to be reviewed, but will also request a “reasonable additional number of printouts” in the PO to account for any unforeseen print requirements. Be sure to include a text editor that allows line ranges to be printed, as this will allow the reviewer to make more efficient use of their page limit.

Whether through oversight or gamesmanship, it can be easy for a PO to contain terms that impose hardships on the reviewer or limit their effectiveness. By weeding out these obstacles in the PO negotiation process, and inserting terms and conditions that increase quality and productivity, Harbor Labs is able to create the conditions necessary for a successful code review.

Thought Leadership
Mask Group 153
Medical Device Manufacturer Must Do’s for Cybersecurity

Medical Device Manufacturer Must Do’s for Cybersecurity

Harbor Labs Director of Medical Security Dr. Mike Rushanan provides a comprehensive outline of the cybersecurity must-do’s necessary to meet regulatory approval. Based on years of experience working with the FDA and other regulatory bodies, Dr. Rushanan’s blog provides insights into the common pitfalls that can disqualify or delay regulatory approvals.

Learn more about our experts and how we’re bringing our passion and process to support brighter outcomes.
We’re always looking to add new dimensions to our team. Check here for the latest openings and opportunities.
Discover issues hiding in your device firmware.
Find out how your vulnerability scores add up.
Medical Device
Your device delivers healthier outcomes. With HarborLabs, it will do it securely.
Healthcare IT
Healthcare IT system security and regulations are a big lift. An experienced partner by your side can help make it lighter.
Technical Litigation
There are practical cyber experts and there are experienced Alternative Legal Service Providers. HarborLabs is the best of both worlds.