When software is part of the deal, knowing what’s in the code matters. Understanding potential open source risks, security flaws, and code quality issues in a target’s codebase early protects the value of the deal. Undetected issues during M&A can:
No matter which side of an acquisition you’re on, Synopsys solutions for open source license compliance, software security, and code quality will support the financial and reputational success of your transaction.
Black Duck Audits of thousands of M&A deals reveal the potential risks associated with acquiring software:
codebases contain open source
of codebases have license conflicts
of codebases have at least one vulnerability
contained open source more than four years out-of-date
Call the audit hotline +1 781.425.4444 or fill out the form below.
Black Duck Audits can identify and assess all open source and third-party components, licenses, and vulnerabilities in the target codebase with these audit services:
Open Source and Third-Party Code Audits draw on the Black Duck KnowledgeBase™ to provide you with a complete open source bill of materials (BoM) for the target codebase, showing all open source components and associated license obligations and conflict analysis.
The OSRA builds on the Open Source and Third-Party Code Audit to provide a detailed view of open source risks in the codebase, including known security vulnerabilities and maintenance risks. Additionally, OSRA identifies encryption functions in use in applications so you can ensure compliance with internal, external, and governmental encryption requirements. It relies on Black Duck Enhanced Vulnerability data not available in the National Vulnerability Database (NVD), and can serve as a high-level action plan to prioritize research and potential remediation actions.
The WSRA gives you a listing of the external web services used by an application, with insight into potential legal and data privacy risks. The summary report allows you to quickly evaluate web services risks across three key categories: governance, data privacy, and quality.
Penetration Test (ethical hacking) Audits assess the security robustness of a software asset through an examination of the application in its full running state. They include exploratory risk analysis to bypass security controls (such as WAF and input validation) as well as attempts to abuse business logic and user authorization to demonstrate how hackers might gain access and cause damage.
SAST Audits combine automated tool-based scans with a source code review to systematically find critical software security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and the rest of the OWASP Top 10.
SDR evaluates the design of key security controls—including password storage, identity and access management, and use of cryptography—against industry best practices to determine whether any are misconfigured, weak, misused, or missing. SDR finds system defects related to security controls in the design of the application; no testing or analysis of the application or code is performed.
Code Quality Audits combine static analysis tools and manual code review to analyze code quality. Results are compared to industry benchmarks to assess quality, reusability, extensibility, and maintainability in proprietary code. Experts interpret the results and provide recommendations for addressing shortfalls in code quality.
Software Development Audits offer a complete analysis of the processes and practices that compose the software development life cycle (SDLC). Experts conduct in-depth interviews with a small number of key personnel to gain insight into the quality and maturity of development practices, including coding standards, processes, and tools. From this, they provide recommendations for improving code quality while reducing development and maintenance costs.
Design Quality Audits use experienced architects and powerful architectural analysis tools powered by Silverthread, to assess overall architecture in terms of modularity and hierarchy, thus rounding out a complete picture of the health of the software. The report includes analysis on how the architecture impacts maintainability and identifies potential risk areas that are candidates for code refactoring.
Whether you are positioning to be acquired, evaluating potential targets for a strategic purchase, or seeking to establish a benchmark valuation of digital properties, having full insight into the composition and integrity of software assets is critical to a successful merger or acquisition.
451 Research discusses managing the threat of open source in M&A
Learn how Black Duck SCA helped Íslandsbanki manage and mitigate open source vulnerabilities
Read the case studyFind out how PointClickCare uses Black Duck On-Demand by Synopsys to make sure their patient data stays secure.
Understand the process of an open source audit—what comes before, during, and after.
Read the blog postLearn how to address license conflicts, security vulnerabilities, quality issues, and maintainability concerns.
Download the eBookIn this course you’ll gain skills to assist client companies in efficiently and effectively navigating and interpreting the output of a Black Duck analysis.
Learn moreLearn the steps Synopsys recommends you take for open source due diligence in an M&A transaction.
Get the checklistAccess the directory of legal professionals who have been certified as Black Duck Legal Specialists.
Learn more