An open source audit digs into a codebase to see what’s inside. Find out what our audit services team unearthed in the 1,250+ codebases we reviewed in 2019.
The nature of open source use makes it hard to track. Open source in a codebase typically results from the collective decisions of individual developers. A developer faced with a gap in functionality might cast about the internet for a “puzzle piece”—an open source component, a code snippet—that fits. The result: A puzzle completed in less time, with less effort, than if your developers had to craft each piece from scratch.
But some developers are more savvy than others about vetting the components they ingest on their company’s behalf. And without proper vetting, those components can embed quality, security, and license issues into the finished project.
It’s a challenge to track open source within companies (though software composition analysis makes the job more manageable). It’s even harder to do so at the industry level. But understanding industrywide open source trends is essential to crafting best practices that keep your development organization ahead of the game.
So how can we get a complete picture of what’s going on in the industry? Through data aggregated from open source software audits. In open source audit, the audit team pries open a codebase to see what’s inside. The results of one audit are almost always surprising. And when we combine the data from thousands of audits, we see clear patterns in open source use that every development organization should be aware of.
My Black Duck Audit Services team analyzes more code for open source than anyone in the world, across all industries and technologies. Through brute force, for the last four years, we’ve been digging into codebases and aggregating anonymized data on code composition, legal issues, security issues, and other operational factors. Recently, working with the Synopsys Cybersecurity Research Center (CyRC), we published our 2020 Open Source Security and Risk Analysis report, a great bedtime read for anyone in software.
Below are some highlights of what we found across over 1,250 codebases we reviewed in open source audits in 2019. But you really should download the report to get more details and a breakout by industry. You may also want to check out our open source in M&A webinar, in which I put the results in the M&A context. “Phil really knows his stuff,” one participant commented at the end. But that’s shooting a compliment at the messenger. The reality is Synopsys knows its stuff when it comes to open source.
Yes, Synopsys, with the CyRC and Black Duck Audit Services team, knows its stuff. After you read the report, you’ll know your open source stuff too!
This post was originally published May 2019 and refreshed June 24, 2020.
Phil is the general manager of Synopsys’s Black Duck Audit business auditing the composition, security and quality of software for companies on both sides of M&A transactions. He focuses on software due diligence best practices and the M&A market. He also works closely with the company’s law firm partners and the open source community and is a frequent speaker on open source management and M&A. Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group which created an ISO standard for Software Bills of Materials (SBOMs). With decades of software industry experience, Phil held senior management positions at Hammer/Empirix and High Performance Systems, a startup in computer simulation modeling. He began his career in marketing and sales with Teradyne's electronic design and test automation (EDA) software group. He’s also written a book on fly fishing. Phil has an AB and an MS in engineering from Dartmouth College.