Software licensing is one of those Goldilocks issues. Buy too few licences and you're out of compliance. That's bad from an ethical perspective, and if someone tips off the BSA there are financial as well as reputational repercussions.
But paying for more software than is actually used around the organisation is akin to pouring money down the drain.
According to Flexera Software CEO Jim Ryan, shelfware is a $2 billion issue in Australia alone.
He believes that any deviation from licence compliance is rarely intentional at the corporate level, rather it occurs because employees are simply trying to get their jobs done.
The increased use of virtualisation and cloud make it harder for organisations to stay compliant.
Flexera straddles both sides of the licensing market. On one hand it provides software vendors with installation and monetisation tools, and on the other it has a range of licence optimisation, deployment and vulnerability management tools for software users.
Although Flexera is based in Chicago, its licence optimisation software is developed in Box Hill, a suburb of Melbourne.
Flexera acquired a local company in 2010, and "we got great people with it," some of whom have been with the business for one or two decades, said Ryan.
There are now 60 developers at the Box Hill operation, twice as many as there were at the time of acquisition.
"The Melbourne team is at the epicentre of what we're doing," he said.
Flexera's FlexNet Manager Suite for Enterprises can manage all types of applications and license models, and reconcile license entitlements with actual application installation and usage data.
Most organisations have "no idea who's using what software," Ryan suggested, but the suite can reveal the software that's been deployed (across the organisation or broken down by geography, business unit, role or individual), the versions, and the licence terms and conditions for each.
Flexera's software vulnerability solutions tie in with licence management because both require an ongoing software discovery and inventory process - if you don't know what software is running in your organisation, how can you check that it is properly licensed and up to date?
"Application vulnerability is one of the greatest risks in security," said Ryan.
Part of the problem is that the software industry doesn't treat itself as a supply chain. There's no bill of materials for software that could include open source and other components.
That's where Flexera's recent acquisition of Palamida comes in, by providing insight into the components used in a particular piece of software.
And having identified vulnerabilities, the next step is to quickly remediate the software involved, he said, and Flexera has the tools to do that.
Some organisations, especially those in the financial and certain other sectors "have put in place industrial grade procedures" to handle patch management, but others are leaving themselves exposed to exploits, he warned.
Flexera's Copenhagen-based team curates patch data and does its own testing to determine which are the most important so that customers have the information they need to decide whether unscheduled updates are justified. It also identifies incompatible combinations of patches.
If the financial implications of licence optimisation are the primary concern, then organisations with at least 1000 employees can benefit from Flexera's tools, said Ryan.
"Virtually every major financial organisation" in Australia is a Flexera customer, he said.
Another is professional services firm GHD:
But when the perspective is the protection of sensitive data (such as personal information and credit card details), Flexera is relevant to much smaller companies, he said: "Anyone buying software should talk to Flexera."