For two decades, Black Duck® audits have been the industry’s most trusted open source due diligence solution for M&A and internal audits for SBOM generation. This capability has involved into a line of advisory services to cover the breadth of software due diligence. When comprehensiveness, speed and accuracy are critical, high-tech enterprises, startups, PE firms and legal advisors choose Black Duck for open source, security, quality, and software development process audit services.
What’s in the code and the processes by which it was developed matters when merger and acquisition (M&A) transactions are in motion. Undiscovered open source in applications can lead to costly license violations. Security flaws in proprietary, open source, and other third-party software, can have a significant negative impact on the value of software assets. Poor quality code and architecture and immature development processes can compromise the product roadmap.
Whether you are acquiring or being acquired, you need an audit partner that can provide fast, trusted, and comprehensive software audits to mitigate these risks.
Black Duck software audits give you the information your firm needs to quickly assess a broad range of software risks in your acquisition target’s software or your own. Get a complete picture of process and code risks (including open source license obligation, application security, and code quality risks) so you can make informed decisions with confidence.
Call the audit hotline +1 781.425.4444 or fill out the form below, and one of our audit experts will contact you.
Software Development Audits offer a complete analysis of the processes and practices that compose the software development life cycle (SDLC). Experts conduct in-depth interviews with key personnel to gain insight into the quality and maturity of the organization and its development practices, including coding standards, processes, and tools. From this, they provide an assessment of the current state and recommendations for improving the process while reducing development and maintenance costs.
Open Source and Third Party
Open Source and Third Party software audits draw upon world class tools using a range of software composition analysis (SCA) techniques, the Black Duck KnowledgeBase™ and open source-expert auditors to provide a complete and accurate Software Bill of Materials (SBoM) for the target codebase with open source and third party components and associated license obligations and license conflict analysis.
Additionally, utilizing a range of sources including Black Duck’s proprietary Black Duck Security Advisories (BDSAs), Open Source Risk Analyses identify known security vulnerabilities and operational risks and provide guidance on remediation. Finally, the reports identify encryption functions in use in applications so you can ensure compliance with internal, external, and governmental encryption requirements.
A Web Services and API Risk Audit (WSRA) generates a listing of the external web services used by an application, with insight into potential legal and data privacy risks.
Security
Static Application Security Testing (SAST) Audits combine automated tool-based scans with expert source code review to systematically find critical software security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and the rest of the OWASP Top 10. They provide an inside out view of security of the code.
Penetration Test Audits are essentially ethical hacking and assess the security robustness of a software asset through an examination of the applications from the outside in, in their full running state. They include exploratory risk analysis when auditors try to bypass security controls (such as WAF and input validation) as well as attempts to abuse business logic and user authorization to demonstrate how hackers could gain access and cause damage.
Through interviews with engineers responsible for application security, Secure Design Review (SDR) Audits evaluate the design of key security controls—including password storage, identity and access management, and use of cryptography—against industry best practices to determine whether any are misconfigured, weak, misused, or missing. SDR Audits find system defects related to security controls in the design of the application. No testing or analysis of the application or code is performed.
Quality
Design Quality Audits combines insights from experienced software architects with powerful architectural analysis tools to assess overall architecture in terms of modularity and hierarchy, thus providing a complete, top-down picture of the health of the software. The report includes analysis on how the architecture impacts maintainability and identifies potential risk areas that are candidates for code refactoring.
Code Quality Audits combine static quality analysis tools with manual code review to given insights into how well code is written. They include comparisons to industry benchmarks of quality, reusability, extensibility, and maintainability of proprietary code.
Understand the process of an open source audit—what comes before, during, and after.
Read the blog postLearn how to address license conflicts, security vulnerabilities, quality issues, and maintainability concerns.
Download the eBookIn this course you’ll gain skills to assist client companies in efficiently and effectively navigating and interpreting the output of a Black Duck analysis.
Learn moreLearn the steps Black Duck recommends you take for open source due diligence in an M&A transaction.
Get the checklistAccess the directory of legal professionals who have been certified as Black Duck Legal Specialists.
Learn more