Black Duck Audits: Not just for M&A

by Shandra Gemmiti on June 2, 2020

If you don’t have an SCA tool, a software audit can give you a bill of materials needed for product releases, vendor requirements, and procuring insurance.

For over 15 years, Black Duck Audits have been the industry’s most trusted open source due diligence solution for M&A. And with open source usage growing at a much faster pace than open source governance, it’s no surprise we continue to audit hundreds of codebases at the core of M&A transactions every year.

We publish our (anonymized) audit findings every year in our Open Source Security and Risk Analysis report. As we noted in the 2020 report, our 2019 software audits found a 49% increase in open source components use compared to 2018. In fact, open source composed 70% of the average codebase, up 17% from 2018. But we also found that open source license conflicts increased in nine industries, unpatched vulnerabilities increased by 25%, and an overwhelming 91% of codebases contained obsolete or unmaintained components.

Based on these findings, it’s clear that open source governance needs to catch up to open source usage so teams can continue to reap the benefits that open source provides. If you’re concerned that you don’t have the internal resources to implement a software composition analysis (SCA) tool at the moment, or your use case doesn’t require continuous management, our software audit team is here to help. A Black Duck Audit provides a comprehensive point-in-time snapshot of the open source in your applications in multiple scenarios. Below are just some of the use cases our audit team sees, beyond M&A due diligence.

Sponsorships Available

You’re preparing for an investment or potential acquisition

In M&A transactions, it’s often the buyer who asks us for an audit of a target codebase. Beyond open source risk, they also might want to understand the overall code quality or security posture of the application. But target companies don’t have to wait for due diligence to be surprised by audit findings.

Companies preparing for a sale or a large round of funding can contact us to get a handle on what might trip them up in diligence. They don’t always have time to buy and implement an SCA tool ahead of a potential acquisition or investment. But that doesn’t mean they can’t get ahead of any potential issues. Software audits typically take a matter of weeks to go from initial meeting to delivery. This timeframe allows the team to identify and fix any critical issues before entering a funding or investment round.

You need a product release audit

Some companies with small teams don’t have the internal resources to implement and manage an SCA tool. Instead, these customers might ask the Black Duck Audits team to audit an application ahead of a big product release or on a quarterly or bimonthly cadence.

By performing an audit right ahead of a major release, the company gets a point-in-time snapshot of the application, giving them the opportunity, for example, to catch an open source license issue before the application ships (thus triggering key license obligations).

By performing software audits periodically, teams get a leg up on a lot of companies who are still grappling with open source governance. While they miss out on the continuous monitoring and management of open source that an SCA tool provides, they can still stay on top of their bill of materials (BOM), license obligations, and potential security vulnerabilities as best they can with the resources they have.

A potential customer or partner requires a software bill of materials

In the recently published Magic Quadrant for Application Security Testing, Gartner states, “By 2024, the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.”¹

In other words, software vendors can expect buyers to begin asking for an up-to-date software BOM in the procurement process. Potential partners may also require this BOM ahead of a partnership agreement. For a software vendor trying to prepare for these future buying requirements, a Black Duck Audit can be a place to start.

You’re procuring insurance

Finally, procuring insurance for your business can lead to a list of requirements that include a BOM and the identification of potential license or security risks. Before an insurance company provides intellectual property insurance specifically, they will likely require, at a minimum, a list of all the license obligations of the software and assurance that the business has met those obligations.