Auditing Code Quality: A Broader Picture

Auditing Code Quality: A Broader Picture

Black Duck is well-known for open source audits, but that is only a piece of the technology due diligence puzzle. Auditing code quality assesses other aspects of a company’s software assets and completely complements an open source audit. Both audit types dive into issues that impact the valuation of a company’s software assets in an M&A transaction.

What's in a Modern Code Base?

A modern code base is made up of components from a variety of sources combined with proprietary code to “stitch” them together and add unique value. Increasingly, developers are leveraging the benefits of millions of open source components freely available on the Internet. But, most companies are not set up to track open source usage and can’t, therefore, identify what open source is being used in a code base. An open source audit provides visibility into the components in a code base and the associated legal, security and operational risks. 

105: Average number of open source components found in each application

Aspects of Technical Diligence

An open source audit provides extremely useful information for assessing the value of software assets, however there are other aspects to be considered as part of technical diligence. A Black Duck Code Quality Audit (CQA) looks beyond the open source components to the quality of the code overall and the processes behind it.

Assessment of Code Quality

The first part of the CQA is a quantitative analysis. Similar to an open source audit, the audit leverages automated tools to analyze the software for the quality of the coding. The tools are language-specific; they identify coding problems and produce metrics to gauge the overall quality of the code. Reports compare the metrics to industry averages for projects of similar technology and scope. How well the code was written impacts its usability and reliability as well how hard or easy it might be to maintain. You might find, for example, that although the code functions and demos well, it is poorly written and documented, and will be difficult to maintain and grow. 

Qualitative Analysis

The CQA also includes an extensive qualitative analysis. Expert consultants with decades of broad software experience interview one or more key development personnel to dig into how the software is developed. They look at everything from how the software is built, tested and maintained to how feature requests are managed. They can even assess how effectively the development organization could grow. For example, if all the good ideas are in the head of the technical founder and leadership is otherwise weak, it might be difficult to scale the operation.

The qualitative CQA may complement an organization’s own due diligence efforts, or it may overlap. Some clients choose to have us team with their technical resources, providing them just a quantitative look at the code they would not otherwise have access to.

Managing Software Development

It’s critical to assess open source risk in any deal where software assets are a significant part of valuation. In addition, with so much open source being used today, managing open source is an important element of the overall management of software development. If a company does not have a good handle on their open source use, that may be indicative of other problems in development process. For companies who don’t have the wherewithal to assess on their own, complementing the open source audit with a CQA gives broader insight into the quality of software and the processes by which it was produced.

Request a Custom Code Analysis

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Diving Deep into Wild & Wacky Open Source Licenses

| Sep 5, 2017

Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. The GPL-2.0 remains the most popular license and the choice for millions of open source components

| MORE >

The Quietly Accelerating Adoption of the AGPL

| Aug 14, 2017

The AGPL (Affero General Public License) has continued to gain in popularity and is showing up frequently in modern code bases. My blog Are SaaS Companies Immune to Open Source Risk? mentioned a key concern for SaaS or Cloud companies, a class of open source licenses that includes the Affero GPL

| MORE >

Can Blockchain and the BTC License Fund Health Insurance?

| Jul 26, 2017

The BTC license hit my radar screen recently. Billed as “sexy” by the author, the permissive BTC license employs Blockchain and may signal a new trend going forward that could transform the way many developers work... and how they get their health insurance. Background I chair the Linux

| MORE >