Black Duck is well-known for open source audits, but that is only a piece of the technology due diligence puzzle. Auditing code quality assesses other aspects of a company’s software assets and completely complements an open source audit. Both audit types dive into issues that impact the valuation of a company’s software assets in an M&A transaction.
What's in a Modern Code Base?
A modern code base is made up of components from a variety of sources combined with proprietary code to “stitch” them together and add unique value. Increasingly, developers are leveraging the benefits of millions of open source components freely available on the Internet. But, most companies are not set up to track open source usage and can’t, therefore, identify what open source is being used in a code base. An open source audit provides visibility into the components in a code base and the associated legal, security and operational risks.
Aspects of Technical Diligence
An open source audit provides extremely useful information for assessing the value of software assets, however there are other aspects to be considered as part of technical diligence. A Black Duck Code Quality Audit (CQA) looks beyond the open source components to the quality of the code overall and the processes behind it.
Assessment of Code Quality
The first part of the CQA is a quantitative analysis. Similar to an open source audit, the audit leverages automated tools to analyze the software for the quality of the coding. The tools are language-specific; they identify coding problems and produce metrics to gauge the overall quality of the code. Reports compare the metrics to industry averages for projects of similar technology and scope. How well the code was written impacts its usability and reliability as well how hard or easy it might be to maintain. You might find, for example, that although the code functions and demos well, it is poorly written and documented, and will be difficult to maintain and grow.
The CQA also includes an extensive qualitative analysis. Expert consultants with decades of broad software experience interview one or more key development personnel to dig into how the software is developed. They look at everything from how the software is built, tested and maintained to how feature requests are managed. They can even assess how effectively the development organization could grow. For example, if all the good ideas are in the head of the technical founder and leadership is otherwise weak, it might be difficult to scale the operation.
The qualitative CQA may complement an organization’s own due diligence efforts, or it may overlap. Some clients choose to have us team with their technical resources, providing them just a quantitative look at the code they would not otherwise have access to.
Managing Software Development
It’s critical to assess open source risk in any deal where software assets are a significant part of valuation. In addition, with so much open source being used today, managing open source is an important element of the overall management of software development. If a company does not have a good handle on their open source use, that may be indicative of other problems in development process. For companies who don’t have the wherewithal to assess on their own, complementing the open source audit with a CQA gives broader insight into the quality of software and the processes by which it was produced.