The first step toward an effective and actionable audit is to consider why you’re doing an audit. Are you doing it for internal purposes, or are you doing it to prove your resources are assets rather than liabilities?
For many, impending M&A activity drives an audit. After all, when buying, you want to acquire high-quality assets free of legal, security, and quality issues. When selling, you want to be a high-quality asset. Buyers want to have a good handle on the risks they are taking on so they can value and structure the deal appropriately. Those buyers want to know that their target does not bring with it baggage that is unaccounted for. They’d like to know the company is using open source components within the bounds of their licenses, that it is minimizing potential cyber attack vectors, that it can ensure consistent uptime, and that its data—and its customers’ data—will be secure.
Some organizations opt for an internal open source audit because the leadership team has been reading news about open source vulnerabilities, exploits, and possible breaches. Some teams may be concerned about the intellectual property risks due to noncompliance with open source licenses. What’s driving your organization’s choice? Your reason makes a difference in who you involve and your goals.