Next-generation audit reports: Enhanced visibility into open source risks in M&A transactions
Black Duck audit reports help you understand your license compliance, software security, code quality, and web services risks—and now they’re even better.
Our customers rely on Black Duck audits to help them understand open source license compliance and security risks quickly and easily. The key deliverable in any audit is the report that helps you understand those risks. Based on your feedback, our reports just got better.
Black Duck has been delivering open source audits for more than a decade, and we constantly strive to improve the way we work and deliver audit results. About five years ago, we changed from text-heavy PDF reports to hosted, sexy interactive reports. Based on feedback from our customers and the lawyers who advise them, we are once again changing our strategy to a new set of reports and an improved delivery process.
Background
For the last five years, we have delivered reports via our custom portal. Clients can log in and view or download reports. Reports are, essentially, interactive applications that are visually appealing and easy to navigate, sort, and filter. Each is accompanied by Appendix A, a multitab spreadsheet that looks, well, like a multitab spreadsheet. For customers who require a broader view of risks with our Open Source Risk Assessment, we provide a PDF Executive Summary.
Feedback
The feedback we have heard is that customers appreciate the look and ease of use of the interactive reports. Those aspects are particularly helpful for new customers. But most of our experienced customers, and the many attorneys who advise them, opt primarily to use the spreadsheet report because it is both comprehensive and easy to share. We also heard that some customers appreciated the narrative-style reports that preceded the interactive reports to share with executives.
For any company, cyber attacks have escalated in frequency and sophistication in the last five years. Consequently, we have invested in hardening the portal. Our internal feedback is that we would like to invest as much engineering as possible in developing new capabilities while still maintaining security.
Best of all worlds
Our new approach builds on the best of past approaches. The mainstay report is an enhanced spreadsheet that combines the graphical look-and-feel of the interactive report with all the details of Appendix A and more. We complement that with a completely revamped Executive Summary Report that provides a narrative crafted specifically around the various issues discovered in the codebase. It summarizes the overall status, then each area of risk, and leverages the data behind our annual risk report to compare the codebase to industry averages along a number of dimensions. Additionally, we provide a License List Report that includes text from all open source licenses relevant to the codebase. It also includes any unusual custom license terms that we have unearthed.
Going forward, all reports will be Excel or PDF with no fancy embedded scripting, so you can easily share them with colleagues or advisors via email or post them to a virtual data room. We will distribute reports via Citrix ShareFile, the highly secure, industry-standard portal.
Broader picture
Over the last five years, we have also been building out our portfolio of audit offerings. We expect that most customers will continue to come to us because of our gold standard reputation for open source audits, but today we also regularly provide an array of software security (building on the company’s deep expertise in this area), code quality, and web services audits. Reports from these audits all have the same look, feel, and structure and are delivered through ShareFile. Customers are telling us that in the heat of the M&A battle, they value one-stop shopping for industry-leading due diligence services. See how PointClickCare uses Black Duck On-Demand Services to reduce risk with their acquisitions.
Your feedback
We are confident that you will be pleased with our new approach, and we’ll continue to look at new ways to enhance reporting and the overall audit process. Your feedback matters and drives our future improvements. Please let us know what you think and how we can better serve and support you. I promise that we take every request seriously and will strive to incorporate your feedback into our plans moving forward.
Want to learn more? Check our in-depth webinar (and demo) of the next generation of Black Duck audit reports.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Phil Odence. Read the original post at: https://www.synopsys.com/blogs/software-security/black-duck-audit-reports/
