Synopsys Enters into Definitive Agreement for Sale of Application Security (Software Integrity Group) Learn More

close search bar

Sorry, not available in this language yet

close language selection

For two decades, Black Duck® audits have been the industry’s most trusted open source due diligence solution for M&A and internal audits for SBOM generation. This capability has involved into a line of advisory services to cover the breadth of software due diligence. When comprehensiveness, speed and accuracy are critical, high-tech enterprises, startups, PE firms and legal advisors choose Synopsys for open source, security, quality, and software development process audit services.

What you don’t know can hurt you

What’s in the code and the processes by which it was developed matters when merger and acquisition (M&A) transactions are in motion. Undiscovered open source in applications can lead to costly license violations. Security flaws in proprietary, open source, and other third-party software, can have a significant negative impact on the value of software assets. Poor quality code and architecture and immature development processes can compromise the product roadmap.

Fast results. Thorough analysis. Peace of mind.

Whether you are acquiring or being acquired, you need an audit partner that can provide fast, trusted, and comprehensive software audits to mitigate these risks.

Black Duck software audits give you the information your firm needs to quickly assess a broad range of software risks in your acquisition target’s software or your own. Get a complete picture of process and code risks (including open source license obligationapplication security, and code quality risks) so you can make informed decisions with confidence.


Free audit consultation

Call the audit hotline +1 781.425.4444 or fill out the form below, and one of our audit experts will contact you.

Get a consultation

Assess process risks

Software Development Audits offer a complete analysis of the processes and practices that compose the software development life cycle (SDLC). Experts conduct in-depth interviews with key personnel to gain insight into the quality and maturity of the organization and its development practices, including coding standards, processes, and tools. From this, they provide an assessment of the current state and recommendations for improving the process while reducing development and maintenance costs.


Assess code risks

Open Source and Third Party

Open Source and Third Party software audits draw upon world class tools using a range of software composition analysis (SCA) techniques, the Black Duck KnowledgeBase™ and open source-expert auditors to provide a complete and accurate Software Bill of Materials (SBoM) for the target codebase with open source and third party components and associated license obligations and license conflict analysis.

Additionally, utilizing a range of sources including Synopsys’s proprietary Black Duck Security Advisories (BDSAs), Open Source Risk Analyses identify known security vulnerabilities and operational risks and provide guidance on remediation. Finally, the reports identify encryption functions in use in applications so you can ensure compliance with internal, external, and governmental encryption requirements.

A Web Services and API Risk Audit (WSRA) generates a listing of the external web services used by an application, with insight into potential legal and data privacy risks.



Static Application Security Testing (SAST) Audits combine automated tool-based scans with expert source code review to systematically find critical software security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and the rest of the OWASP Top 10. They provide an inside out view of security of the code.

Penetration Test Audits are essentially ethical hacking and assess the security robustness of a software asset through an examination of the applications from the outside in, in their full running state. They include exploratory risk analysis when auditors try to bypass security controls (such as WAF and input validation) as well as attempts to abuse business logic and user authorization to demonstrate how hackers could gain access and cause damage.

Through interviews with engineers responsible for application security, Secure Design Review (SDR) Audits evaluate the design of key security controls—including password storage, identity and access management, and use of cryptography—against industry best practices to determine whether any are misconfigured, weak, misused, or missing. SDR Audits find system defects related to security controls in the design of the application. No testing or analysis of the application or code is performed.



Design Quality Audits combines insights from experienced software architects with powerful architectural analysis tools to assess overall architecture in terms of modularity and hierarchy, thus providing a complete, top-down picture of the health of the software. The report includes analysis on how the architecture impacts maintainability and identifies potential risk areas that are candidates for code refactoring.

Code Quality Audits combine static quality analysis tools with manual code review to given insights into how well code is written. They include comparisons to industry benchmarks of quality, reusability, extensibility, and maintainability of proprietary code.


Learn more about Black Duck Audits

Synopsys Software Integrity Customer Stories | PointClickCare


Find out how PointClickCare uses Black Duck On-Demand by Synopsys to make sure their patient data stays secure.