close search bar

Sorry, not available in this language yet

close language selection

The M&A Open Source Risk Number

Find out what our audit services team unearthed in the 2,400+ codebases we reviewed in 2021.

open source | Synopsys

Spoiler alert: In 2021, audits found open source in 100% of our customer engagements.

Regular readers know that Synopsys recently published the seventh edition of the “Open Source Security and Risk Assessment” (OSSRA) report. We think it provides the best information available about usage of open source in the wild, and the frequency of open source risks. 

The report is based on anonymized and aggregated data pulled from the Black Duck® Audit group’s work. It presents the results in terms of codebases—roughly equivalent to applications—that we audit as part of an M&A transaction. However, because we typically audit multiple codebases in each customer engagement, statistics per codebase are only part of the story.

You can read full M&A story in our “Open Source Risk in M&A by the Numbers” white paper. It covers the same data as the OSSRA report but presents the analysis in the context of transactions. For example, instead of digging into the frequency of high-severity vulnerabilities per codebase, the paper explores the percentage of M&A transactions that include code with high-severity vulnerabilities.

You can also watch this recorded webinar to get an inside look at the data Black Duck Audits complied in 2021 from the 2,400 codebases we audited in tech transactions. 

Phil Odence

Posted by

Phil Odence

Phil Odence

Phil is the general manager of Synopsys’s Black Duck Audit business auditing the composition, security and quality of software for companies on both sides of M&A transactions. He focuses on software due diligence best practices and the M&A market. He also works closely with the company’s law firm partners and the open source community and is a frequent speaker on open source management and M&A. Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group which created an ISO standard for Software Bills of Materials (SBOMs). With decades of software industry experience, Phil held senior management positions at Hammer/Empirix and High Performance Systems, a startup in computer simulation modeling. He began his career in marketing and sales with Teradyne's electronic design and test automation (EDA) software group. He’s also written a book on fly fishing. Phil has an AB and an MS in engineering from Dartmouth College.

More from Open source and software supply chain risks