Auditing Code Quality: A Broader Picture

Auditing Code Quality: A Broader Picture

Black Duck is well-known for open source audits, but that is only a piece of the technology due diligence puzzle. Auditing code quality assesses other aspects of a company’s software assets and completely complements an open source audit. Both audit types dive into issues that impact the valuation of a company’s software assets in an M&A transaction.

What's in a Modern Code Base?

A modern code base is made up of components from a variety of sources combined with proprietary code to “stitch” them together and add unique value. Increasingly, developers are leveraging the benefits of millions of open source components freely available on the Internet. But, most companies are not set up to track open source usage and can’t, therefore, identify what open source is being used in a code base. An open source audit provides visibility into the components in a code base and the associated legal, security and operational risks. 

105: Average number of open source components found in each application

Aspects of Technical Diligence

An open source audit provides extremely useful information for assessing the value of software assets, however there are other aspects to be considered as part of technical diligence. A Black Duck Code Quality Audit (CQA) looks beyond the open source components to the quality of the code overall and the processes behind it.

Assessment of Code Quality

The first part of the CQA is a quantitative analysis. Similar to an open source audit, the audit leverages automated tools to analyze the software for the quality of the coding. The tools are language-specific; they identify coding problems and produce metrics to gauge the overall quality of the code. Reports compare the metrics to industry averages for projects of similar technology and scope. How well the code was written impacts its usability and reliability as well how hard or easy it might be to maintain. You might find, for example, that although the code functions and demos well, it is poorly written and documented, and will be difficult to maintain and grow. 

Qualitative Analysis

The CQA also includes an extensive qualitative analysis. Expert consultants with decades of broad software experience interview one or more key development personnel to dig into how the software is developed. They look at everything from how the software is built, tested and maintained to how feature requests are managed. They can even assess how effectively the development organization could grow. For example, if all the good ideas are in the head of the technical founder and leadership is otherwise weak, it might be difficult to scale the operation.

The qualitative CQA may complement an organization’s own due diligence efforts, or it may overlap. Some clients choose to have us team with their technical resources, providing them just a quantitative look at the code they would not otherwise have access to.

Managing Software Development

It’s critical to assess open source risk in any deal where software assets are a significant part of valuation. In addition, with so much open source being used today, managing open source is an important element of the overall management of software development. If a company does not have a good handle on their open source use, that may be indicative of other problems in development process. For companies who don’t have the wherewithal to assess on their own, complementing the open source audit with a CQA gives broader insight into the quality of software and the processes by which it was produced.

Request a Custom Code Analysis

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


No Nukes Licensing, the Real Question

| May 23, 2017

  A number of licenses have clauses stating that the software is not for use in a nuclear facility. The implications have never been completely clear to me. This has been a recent topic of interesting discussion and debate on the Apache legal list. Black Duck tracks about 2700 licenses in our

| MORE >

New Research Reveals Wisdom of Due Diligence

| Apr 25, 2017

Last week Black Duck released the 2017 Open Source Security and Risk Analysis. This is a great piece of research that should be of interest to anyone involved in tech M&A. The theoretical risks associated with open source are clear: most companies use a lot of open source but don’t sufficiently

| MORE >

Pain and Confusion with Open Source Licenses

| Mar 31, 2017

Kyle Mitchell, an open source-savvy, lawyer/developer, just published an interesting blog titled Open Source License Business Perception Report. He rates a list of popular licenses along two dimensions: Pain - how inconvenient they are to use; and Confusion - uncertainty in the meaning of

| MORE >