Black Duck Audits and Synopsys: Running the walk

Synopsys offers a range of software security services that go beyond open source. These offer Black Duck Audit customers better due diligence service.

Black Duck Audits and Synopsys: Running the walk

Soon after Black Duck merged with Synopsys, I wrote about my initial impressions of the company, specifically as a home for the Black Duck Audit business. By way of update, in short, my initial, positive impressions hold. This is the right place for Black Duck and the audit business that so many in the industry have come to rely on.

The Synopsys culture is extraordinarily well-aligned with the critical elements of our audit business: maintaining trust through integrity, being hyperresponsive through execution, and leading the market with superior services and tools. And all that with the same passion that drives my team every day. To be fair, those initial impressions were based on Synopsys “talking the talk.” However, a few months of “walking the walk” have only reinforced my conviction that we have a great home. Actually, these months have felt more like running the walk!

Trust and responsiveness

The company has been very sensitive to not compromising even an inch in these key areas. Thus, we have continued to run the business largely independently of the rest of the company. As we have been integrating into various Synopsys systems, the planning always starts with ensuring that nothing will impinge on our abilities. For example, selected team members have been testing Synopsys laptops for a month to ensure they can efficiently execute every aspect of their jobs before migrating over. And, be assured, we are extremely mindful of the importance of our discretion and confidentiality to customers. That is top of mind as we architect our networks, processes, and systems going forward. We have assigned a top compliance attorney in Synopsys to maintain data segregation within our trusted (as well as trusty) team.


Perhaps the most exciting aspect of the merger from the perspective of supporting M&A transactions is the opportunity to extend our offerings into security. Earlier this month, a Wall Street Journal article outlines the rising importance of cyber security in M&A and cites examples from ADP and The Home Depot.

Today, Black Duck Audits focus on open source components, licensing issues, and known security vulnerabilities in those components. Albeit a critical aspect, this is only part of the software security story. The Synopsys Software Integrity Group offers a full range of services in software security that go beyond open source, from benchmarking security programs to reviewing software architecture to penetration testing to digging into the details of proprietary code to find critical coding errors. We are in the process of leveraging those capabilities to expand the menu of ways in which we can augment our customers’ due diligence efforts.

In the same way that Black Duck is the name in open source management, Forrester and Gartner have designated Synopsys the leader in software application security. An important component of that leadership is our vast security consulting resources and skills. Additionally, the Software Integrity Group augments our open source strength with additional security research capabilities. Did you know that our team in Finland discovered Heartbleed? (They were known as Codenomicon at the time, prior to their acquisition by Synopsys.)

It’s exciting to be associated with the leader and even more so to apply a new breadth of capabilities to helping clients who rely on Black Duck Audit Services to support their M&A due diligence.

As always, please feel free to contact me if you have questions or if I can be helpful. You can reach me at podence at

Need insight into your codebase?

Learn about open source audits and risk assessments 

Phil Odence

Posted by

Phil Odence

Phil Odence

Phil is General Manager, Black Duck On-Demand. He works closely with Black Duck’s law firm partners and the open source community. A frequent speaker at industry events, Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group. With over 20 years’ software industry experience, Phil came to Black Duck from Empirix where he served as Vice President of Business Development and in other senior management positions, and was a pioneer in VoIP testing and monitoring. Prior to Empirix, Phil was a partner and ran consulting at High Performance Systems, a startup computer simulation modeling firm. He began his career with Teradyne's electronic design and test automation (EDA) software group in product, sales and marketing management roles. Phil has an AB in Engineering Science and an MS in System Simulation from the Thayer School of Engineering at Dartmouth College.

More from Open source and software supply chain risks