[AppSec Case Study] Gaining Visibility Into Open Source Risk | Synopsys
close search bar

Sorry, not available in this language yet

close language selection

Gaining Visibility Into Open Source Risk

Founded in 2002, AccessOne is a leading provider of patient financing options designed to help patient consumers manage their healthcare costs while driving best-in-class hospital reimbursement.

“As CTO, I have overall responsibility for the technology solutions that enable our business,” says AccessOne chief technology officer Connor Gray. “Black Duck audit services were recommended by a colleague for an acquisition we were pursuing.”

Understanding risks and obligations of the code you’re acquiring

“There are many dimensions you need to examine in the technology of a company that you are acquiring,” Gray continues. “It’s important to be able to evaluate the licensing of the code they have in use. Our target was utilizing open source components. Identifying all those components and the different licensing types associated with the underlying source code was vital so that we could understand what risks and obligations potentially existed for us.

“We wanted to assure that the target was keeping code current and identify any security or operational risk that could result from their use of open source. We also took advantage of the web services analysis that the Black Duck audit team provides. This helped us evaluate what web services were being connected to, as well as potential licensing implications, authentication implications, and security around those various web services.

“All of those pieces provide indicators of an organization’s rigor they have around their software process. If the target isn’t aware of what code is in their code base, it might be an indication that they are doing a sloppy job of code management. If they have developers putting code into the code base without the organization being aware of it, that poses significant risk. It shows a general lack of control.”

Identifying open source components and the different licensing types associated with the underlying source code was vital so that we could understand what risks and obligations potentially existed for us."

Connor Gray



The process of an on-demand audit

Gray notes that the Black Duck audit process took a little under three weeks. One week was needed by the target and AccessOne for preparation—essentially having an NDA and contracts signed and getting the relevant code loaded for secure FTP access. The Black Duck audit team’s code evaluation and delivery of results was done within two weeks.

“I was highly impressed with the quality of the audit team’s work,” Gray says. “I felt it was very thorough, it gave me confidence in confirming what we already believed. It also gave us a better understanding of what to expect. Altogether, Black Duck audit services greatly helped us with analyzing the target’s software and identifying risk potential.”

Ensuring tech due diligence

“I’ve been through a number of different acquisitions, both as a buyer and a seller,” Gray says. “The thoroughness in the data that we got back is far beyond anything else that I’ve seen. I would say to any company involved in an M&A transaction that you really aren’t doing the job you need to do without something like a Black Duck audit to help you through it. I cannot imagine doing a transaction without using Black Duck audit services.”

Download the PDF

Company Overview

AccessOne is a leading provider of flexible, co-branded patient financing solutions. Founded by providers, the AccessOne solution provides a consumer-focused experience which drives high patient satisfaction for our clients. AccessOne has helped over one million consumers afford out-of pocket medical expenses for health systems nationwide.