Understanding the Hows and Whys of Open Source Audits

4 Critical Questions to Ask During an Open Source Audit

If you’re part of a modern business that does any software development, your dev teams are using open source components to move quickly, save money, and leverage community innovation. If you’re a law firm or a consultant, your clients use open source. And if you’re on the lookout for your next acquisition, you'll be evaluating targets replete with open source. Black Duck recently found that proprietary applications we audit are 36% open source on average.

Since I've been working at Black Duck, I've learned a great deal about open source — and how and why an audit of the code base is important. I've also heard stories from customers scrambling to create a plan that addresses concerns about open source software risk during mergers and acquisitions (M&A) — before it jeopardizes the deal. This scramble makes me wonder how well the companies involved understand how their solutions are built. 

Why Bother with an Open Source Audit?

It’s important to consider why you're doing an audit — why you need to examine your dev teams’ projects, open source components, and license requirements. 

For many, impending M&A activity drives an audit. After all, when buying, you want to acquire high-quality assets free of legal or security issues and, when selling, you want to be a high-quality asset. Buyers want to have a good handle on the risks they are taking on so they can value and structure the deal appropriately. Those buyers want to know that their target does not bring with it unaccounted for baggage. They’d like to know the company is using open source components within the bounds of their licenses, is resistant to cyberattacks, can ensure consistent uptime, and that their data — and their customers’ — will be secure.

Some organizations opt for an internal open source audit because the leadership team has been reading news covering open source vulnerabilities, exploits and possible breaches. Some teams may be concerned about the intellectual property risks due to non-compliance with open source licenses. What's driving your organization’s choice? Your reason makes a difference in who you involve and your goals.

Who Do You Involve in Your Audit?

When preparing for a code audit, understand that developers are focused on producing quality code quickly. While developers may understand the implications of open source licenses, they may not be concerned about the fine print of the thousands of open source licenses in the wild today. They may also not have the time or resources to track new security vulnerabilities announced every day.

Senior leadership, legal departments, and senior technical managers are usually the ones charged with the strategy, policies and processes associated with open source management. This allows developers to focus on developing software while providing them with guidelines to avoid risks. When performing code analysis, all of these groups can contribute to analyzing results and addressing issues that arise.

Request a Custom Code Analysis

What Do You Do with the Audit Results?

Good open source audit service providers should take the time to review the results of an application audit and provide actionable insight into:

  1. Copyleft licenses and other license obligations
  2. Unlicensed code
  3. Open source security vulnerabilities
  4. Operational risks associated with open source

This is when your experts will take over the results, leveraging the auditors' insight to clarify any questions. This is a critical step, because what the audit uncovers may have a material impact on the valuation of a business and the deal terms during an M&A. 

How Do You Use Your Knowledge?

Maybe something needs to change, maybe it doesn’t; the results of your audit will help you answer that question. If your audit showed exactly what you expected, you're in the minority. When we did an analysis of our security audits from 2016, we found that 96% of applications scanned used open source, and companies were only aware of about half of the open source in use. The great majority of code bases we analyze have license and security issues.

The output of an open source audit provides clear information about not only the open source code in use, but the known vulnerabilities in the code, not to mention the license compliance risks. This information not only gives you a clear picture of what's in your code, it can help you be better prepared moving forward. Creating open source management policies based on how you're actually using your code is one way you can use your audit results. 

Do I Need an Open Source Audit?

As I mentioned, the most common reason for an open source audit among our customers is for merger and acquisition events. A snapshot of the open source use and risk exposure of the code in question provides much needed information to help you move forward as a buyer or a seller. Buyers get visibility into risks they may be taking on; sellers have the opportunity to address such risks in advance of due diligence. If you anticipate being on either side of a transaction, the Black Duck Audit team can help you decide how to proceed.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

FinTech Compliance is Evolving to Safeguard Your Information

| Jul 11, 2017

The rapid growth of custom and open source applications deployed in businesses worldwide means that all companies have significant software assets. In some industries, agile development and open source software have enabled a technological evolution, to the point of creating new business models.

| MORE >

Asymmetric Advantage: The Role of Open Source in Government Cybersecurity

| Mar 17, 2017

Government cybersecurity has been a pressing issue for decades, yet only recently have we seen federally sponsored recognition of the increasing threat adversaries pose to proprietary, custom, and open source software. On the tails of high profile data leaks and internet-crippling cyber attacks,

| MORE >