In an ideal world, tools that scan software for security, open source, and quality issues would yield perfect results. But the reality is that expert humans auditing code with the assistance of sophisticated tools provide the most complete and accurate results possible. There’s great value in automated scanning as it is the only practical approach for day-to-day software management, but when the stakes are high, as in an M&A transaction, audits are called for.
Although the distinction between scans and audits applies to any element of code analysis in due diligence, it most often comes up in connection with open source audits. The final output of an audit or a scan is a software Bill of Materials (SBOM) of the open source and third-party software in a codebase. The most pivotal difference is that an audit involves dedicated experts using a variety of tools to perform a complete review of the results of automated scans. These experts use techniques and reasoning to verify the output in ways that automated tools are not able to. With an automated scan, results will be less accurate and provide an incomplete picture of the open source components in a target’s codebase.
Specific techniques used in open source auditing include string search and snippet identification. Such methods achieve the most complete and accurate SBOMs, which is why an audit is typically recommended to ensure complete insights to address the inherent risks and high stakes in tech M&A transactions.
Learn more about audits vs. automated scans