What is an Open Source Audit and How Does it Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

AI-generated code | Harness the power of AI coding assistants while managing the risks
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Consolidation | Simplify your application security program
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source License Compliance | Effective solutions for ensuring open source license compliance
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

Table of Contents

What is an open source audit?
Why are open source audits important?
Who performs open source audits?
When are open source audits performed?
Synopsys open source audits
Open source audit resources

Definition

An open source audit is an analysis of a codebase that identifies all open source components, associated license conflicts and obligations, known security vulnerabilities, and potential risk introduced via third-party web service API integrations. This data is then used to create a complete open source Software Bill of Materials (SBOM). The analysis can be done in-house, but it is usually done by a trusted third party that is experienced in identifying open source dependencies and mapping those dependencies to areas of risk.

Why are open source audits important?

Seventy-six percent of the average application is comprised of open source code, according to data from the annual Synopsys “Open Source Security and Risk Analysis” (OSSRA) report. This means that most of modern applications were built by someone else, completely outside the control of the company deploying the resulting application. Without visibility into those open source dependencies, it’s impossible to understand and mitigate the risk that comes along with it. For example, without an open source SBOM, organizations had no idea whether their applications were impacted by the Log4Shell critical vulnerability.

Who performs open source audits?

Open source audits are most often performed by a trusted third party. The benefit of this is that an independent team of auditors can use purpose-built tools to identify all open source dependencies, regardless of how they’ve been included. They can go beyond package manager inspection to also identify snippets of dependencies, and open source libraries coded in languages that do not use package managers, such as C and C++. Expert auditors also use their experience to eliminate false positives, and prioritize risk insights based on severity for the customer.

When are open source audits performed?

Audits are most commonly done as part of technical due diligence for mergers and acquisitions. When software is a significant part of a deal, the acquiring company usually requires the target company to have these audits performed in order to better understand the limits of, and risk associated with, the software that they are investing in or purchasing. A trusted third-party auditor performs an analysis and communicates results to the acquirer, while protecting the intellectual property of the target company.

Open source audits are not done just during M&A processes, though. They can be done at any time for any other reason, such as customer requirements, internal risk assessments, seller preparation, etc.

Synopsys open source audits

Our open source and third-party software audits draw upon world-class tools and a range of software composition analysis techniques, the Black Duck^® KnowledgeBase™, and open source expert auditors. We provide a complete and accurate SBOM for the target codebase, including all open source and third-party components, associated license obligations, and license conflict analysis.

Additionally, utilizing a range of sources including Synopsys proprietary Black Duck Security Advisories, open source risk analyses identify known security vulnerabilities and operational risks and provide guidance on remediation.

Open source audit resources

Datasheet

Audit Services Datasheet

Learn more about our audit services

Blog

How an open source audit works

Learn how an open source audit can reduce your security risk

White Paper

When it makes sense to perform an open source audit

Learn when to conduct an audit and how to prioritize the findings

Open Source Audit