Every company is a software company. If it doesn’t build it, it buys it and uses it to run its operations.
So when companies are acquired, the purchasers are buying software along with physical and intellectual property. Most of that software is open source. And there’s a lot of acquiring going on. The 2022 “Open Source Software and Risk Analysis” (OSSRA) report by Synopsys noted that the number of codebases audited in 2021 rose by 64%, driven by an increase of mergers and acquisitions (M&A).
It was also driven by the fact that more purchasers are aware that they need an audit of the codebases they’re acquiring—an objective analysis, or technical due diligence, of the quality, security, and possible licensing risks of that software.
If they don’t know what they’re buying, they won’t know what they’re using, and they could end up being victims of catastrophic vulnerabilities like the Log4Shell group in the Apache Software Foundation’s logging library Log4j.
Also, if they don’t participate in maintaining the thousands to millions of open source components they’re using, those components can (and do) fall out of support, which means bugs no longer get fixed.
Watch our latest edition of AppSec Decoded as Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, and Taylor Armerding, security advocate at Synopsys Software Integrity Group, discuss the value of Black Duck® by Synopsys audit services in the M&A world, and ways to reap the benefits of your open source software without falling victim to the risks.