When’s the Right Time for an Open Source Audit?

January 26, 2017 Jason Levy

open source audit

Open Source Audit. Three words which can make a big difference when you’re selling a company or floating it on the stock market.

To realize the importance of an open source audit, let’s look at a startup’s potential acquisition. Let’s call this startup Octrangal.

The Bid

Octrangal was doing well. It had carved itself a niche in its market sector, and its revenue was increasing month on month. Unsurprisingly, it wasn’t long until bigger players started to eye it up.

After several insulting bids, Octrangal went with Elonix, who offered a cool $30 million (x6 its annual revenue) for its acquisition. The next stage was for Octrangal to complete Elonix’s due diligence process, which of course included an open source audit.

Importance of an Open Source Audit

Open source audits are an essential part of any merger and acquisition (M&A) or initial public offering (IPO) process, and for good reason. To uncover any instances of copyright infringement, potential buyers/investors need a record of all open source components in their target’s code base, together with their licenses.

Taking into account the high volume of open source components used to build modern software products, and the fact that a component’s proper use is not only determined by its direct license, but also the licenses of its transitive dependencies, this can be quite difficult. To track open source usage manually, developers should dedicate precious time and resources to admin rather than coding, and any records will likely be inaccurate due to the sheer fact of human error. Furthermore, it’s not unusual that up to 80% of code within a product to be open source. Due to the large amounts of open source components contained within modern software products, manual tracking is simply not up to scratch.

Calling in the Professionals: Using An Automated Open Source  Audit Tool

Octrangal knew that the number of open source components in their software was enormous and that its developers were never trained to detect them manually. Furthermore, in the knowledge that the longer the due diligence process lasts, the greater the chance that their company’s valuation would be reduced, or the acquisition would fall through, Octrangal understood that they needed to act fast. So, they did what anyone would do in this situation, they called in the professionals.

With the help of an automated open source management tool, Octrangal managed to identify all open source components in their software within minutes, including all their dependencies.

The open source audit tool also provided Octrangal with all their components’ licenses, including those of the transitive variety. Therefore, Octrangal could now confirm that it adhered to all its components’ licenses, and that its codebase contained no copylefted GNU-GPL open source components, as per Elonix’s open source policy. However, there was one last thing Elonix required – they wanted all open source security issues to be put under the spotlight, and for good reason.

Make sure you're on top of your open source due diligence with our white paper

Don’t Forget Security

Open source audit is all about discovering open source license compliance issues, however detecting open source security vulnerabilities should also be on your agenda. If in doubt, we only need to look to Heartbleed. In the 2 years it took to discover, it’s anyone’s guess how many peoples’ sensitive information was put at risk, not to mention the $500 million it cost for companies to remediate the issue.

Discovering open source security issues is also not a simple task. Hundreds of CVEs are released every year. Consequently, if developers are tracking open source usage manually, they must not only find out which components are affected but also check which versions are impacted. That’s impractical, to say the least.

Luckily, Octrangal was ready. With the help of the automated solution, they managed to discover all open source components impacted by security vulnerabilities, together with mapping their remediation options, with a click of a button. This was no mean feat. For not only did the solution have to search the numerous sources (the NVD, security advisories, open source projects’ bug trackers) where open source security vulnerabilities are reported, it then had to accurately match those vulnerabilities with the open source components contained in Octrangal’s codebase.

Thankfully, with Octrangal completing its open source security audit, and Elonix’s due diligence requirements being satisfied, the acquisition went ahead. However, maybe Octrangal should have got its open source audit capabilities in order before it was compelled to?

An Open Source Audit Is for Life, Not Just for Christmas

While it’s undeniable that an open source audit is essential before any successful M&A or IPO, it’s no less important as part of a software team’s regular operations. Put it this way, if you have license compliance or security issues affecting your open source components, isn’t it better to identify and deal with those issues sooner rather than later?

Ultimately, an automated open source management solution is the way to go. With the correct tool in place, you can undertake an open source audit on-demand, and rectify any open source issues lurking in your code.

Previous Article
Dude Where’s My File: The Healthcare Industry and Open Source Software
Dude Where’s My File: The Healthcare Industry and Open Source Software

We take it for granted that most of the services we receive today are powered by innovative technology and ...

Next Article
White Hat Hacking – Not What You Expect
White Hat Hacking – Not What You Expect

Shellshock. Dirty Cow. Drown. When it comes to finding nasty security vulnerabilities such as the above ...