Black Duck audits reporting update: Streamlined view of risks and remediation steps

Software due diligence has evolved

Starting in the early 2000s, Black Duck audits offered a service that identified open source and third-party components in an application and assessed the associated licensing and security risk of them. Since then, our offerings have evolved and expanded. Today, we provide a comprehensive range of services covering the breadth and depth of software due diligence.

Software risk domains

Black Duck audit clients want insights in all risk areas and look to us to augment their software due diligence capabilities.

Software development processes and organization: Our experts conduct in-depth interviews with key personnel to gain insight into the quality and maturity of the organization and its development practices, including coding standards, processes, and tools.

Quality: Using both static analysis tools and manual code review, we provide insights on how well the codebase is written. We can also evaluate the architectural design of the codebase and determine if it is well-structured and modular.

Open source and third-party: Using a range of word-class tools, we provide the most comprehensive and accurate assessment available of the composition of the code and associated license and security risk.

Security: Our team of consultants assess the security posture of the application using static application security testing, penetration testing, and secure design review.

The right level of detail for the job

Each of these services includes a report that outlines the in-depth results of our analysis and provides context and comments from our highly skilled auditors. A deep level of detail is important for clients’ subject-matter experts. As an example, an IP attorney will want to understand why we flagged an open source license as potentially problematic, and a software architect will be interested in where the problems are in the architecture.

In addition to performing several types of audits, we are often asked to analyze multiple applications, and some assessments are language-dependent, which means that we generate more reports. For a large transaction, it would not be uncommon for our team to deliver 15 or 20 reports.

Engagement summary report

These individual reports contain invaluable data for particular stakeholders in the transaction, but they do not present an overview of the full software due diligence. It may be cumbersome for corporate development or executive stakeholders to navigate through so many documents. In fact, clients would value augmenting the detailed reports with a business-level story that give the full picture.

For this reason, we recently introduced the engagement summary report. Its purpose is to provide that big picture, presenting only the key findings for each risk category, along with suggested remediation next steps, in a concise format.

This report begins with a one-page executive summary that tells a story and highlights the application’s strengths as well as the major areas of concern.

The subsequent sections summarize the risk areas covered in the engagement. Each section presents both our main observations as well as recommended next steps.