License Compliance and Software Security for M&A Due Diligence

Identify software risks during M&A transactions

When software is part of the deal, knowing what’s in the code matters. Understanding potential open source risks, security flaws, and code quality issues in a target’s codebase early protects the value of the deal. Undetected issues during M&A can:

  • Compromise proprietary intellectual property.
  • Put sensitive data at risk.
  • Impede overall and integration operations.
  • Lengthen deal and integration timelines.
  • Increase remediation costs.

No matter which side of an acquisition you’re on, Synopsys solutions for open source license compliance, software security, and code quality will support the financial and reputational success of your transaction.

Did you know?

Black Duck Audits of thousands of M&A deals reveal the potential risks associated with acquiring software:

  • 99%

    of the applications scanned contain open source components.

  • 68%

    of applications have license conflicts or unknown licenses.

  • 298

    open source components per application, on average, are found.

  • 60%

    of applications have at least one known security vulnerability.

Open Source Security and Risk Analysis Report


Call the Audit hotline
+1 781.425.4444 or complete the form below.

250 / 250

Don’t take our word for it

Learn how PointClickCare uses Black Duck Audits to understand risk as they bring new companies into their portfolio.

Audit services for M&A

Black Duck Audits can identify and assess all open source and third-party components, licenses, and vulnerabilities in the target codebase with these audit services:

License Compliance Audit

Open Source and Third-Party Code Audit

Open Source and Third-Party Code Audits draw on the Black Duck KnowledgeBase™ to provide you with a complete open source bill of materials (BoM) for the target codebase, showing all open source components and associated license obligations and conflict analysis.

Open Source Risk Assessment

The OSRA builds on the Open Source and Third-Party Code Audit to provide an enhanced view of open source risks in the codebase, including known security vulnerabilities and maintenance risks. It can serve as a high-level action plan to prioritize research and potential remediation actions.

Web Services and API Risk Audit

The WSRA gives you a listing of the external web services used by an application, with insight into potential legal and data privacy risks. The summary report allows you to quickly evaluate web services risks across three key categories: governance, data privacy, and quality.

Learn more


open source risk assessment

Penetration Test Audits

Penetration Test (ethical hacking) Audits assess the security robustness of a software asset through an examination of the application in its full running state. They include exploratory risk analysis to bypass security controls (such as WAF and input validation) as well as attempts to abuse business logic and user authorization to demonstrate how hackers might gain access and cause damage. 

Static Application Security Test Audits

SAST Audits combine automated tool-based scans with a source code review to systematically find critical software security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and the rest of the OWASP Top 10.

Security Controls Design Analysis

SCDA evaluates the design of key security controls—including password storage, identity and access management, and use of cryptography—against industry best practices to determine whether any are misconfigured, weak, misused, or missing. SCDA finds system defects related to security controls in the design of the application; no testing or analysis of the application or code is performed.

Learn more



code quality audit

Quantitative Code Quality Audit

Quantitative Code Quality Audits combine static analysis tools and manual code review to analyze code quality. Results are compared to industry benchmarks to assess quality, reusability, extensibility, and maintainability in proprietary code.

Qualitative Code Quality Audit

Qualitative Code Quality Audits provide a complete analysis of the processes and practices that compose the software development life cycle (SDLC). They include recommendations for improving quality while reducing costs.

Encryption Audit

Encryption Audits identify encryption technologies that can affect and restrict the legal export of acquired software. They include a detailed analysis of encryption functions in proprietary, open source, and third-party software.

Learn more

Ensure software is an asset, not a liability

Whether you are positioning to be acquired, evaluating potential targets for a strategic purchase, or seeking to establish a benchmark valuation of digital properties, having full insight into the composition and integrity of software assets is critical to a successful merger or acquisition.

451 Research discusses managing the threat of open source in M&A

Learn more about Black Duck Audits for M&A