Understanding the Hows and Whys of Open Source Audits


Since I’ve been working at Black Duck, I’ve learned a great deal about open source — and how and why an audit of the code base is important. I’ve also heard stories from customers scrambling to create a plan that addresses concerns about open source software risk during mergers and acquisitions (M&A) — before it jeopardizes the deal. This scramble makes me wonder how well the companies involved understand how their solutions are built. 

Why Bother with an Open Source Audit?

It’s important to consider why you’re doing an audit — why you need to examine your dev teams’ projects, open source components, and license requirements. 

For many, impending M&A activity drives an audit. After all, when buying, you want to acquire high-quality assets free of legal or security issues and, when selling, you want to be a high-quality asset. Buyers want to have a good handle on the risks they are taking on so they can value and structure the deal appropriately. Those buyers want to know that their target does not bring with it unaccounted for baggage. They’d like to know the company is using open source components within the bounds of their licenses, is resistant to cyberattacks, can ensure consistent uptime, and that their data — and their customers’ — will be secure.

Read more at Black Duck