Open Source Audit. Three words which can make a big difference when you’re selling a company or floating it on the stock market.
To realize the importance of an open source audit, let’s look at a startup’s potential acquisition. Let’s call this startup Octrangal.
Octrangal was doing well. It had carved itself a niche in its market sector, and its revenue was increasing month on month. Unsurprisingly, it wasn’t long until bigger players started to eye it up.
After several insulting bids, Octrangal went with Elonix, who offered a cool $30 million (x6 its annual revenue) for its acquisition. The next stage was for Octrangal to complete Elonix’s due diligence process, which of course included an open source audit.
Importance of an Open Source Audit
Open source audits are an essential part of any merger and acquisition (M&A) or initial public offering (IPO) process, and for good reason. To uncover any instances of copyright infringement, potential buyers/investors need a record of all open source components in their target’s code base, together with their licenses.
Taking into account the high volume of open source components used to build modern software products, and the fact that a component’s proper use is not only determined by its direct license, but also the licenses of its transitive dependencies, this can be quite difficult. To track open source usage manually, developers should dedicate precious time and resources to admin rather than coding, and any records will likely be inaccurate due to the sheer fact of human error. Furthermore, it’s not unusual that up to 80% of code within a product to be open source. Due to the large amounts of open source components contained within modern software products, manual tracking is simply not up to scratch.
Calling in the Professionals
Octrangal knew that the number of open source components in their software was enormous and that its developers were never trained to detect them manually. Furthermore, in the knowledge that the longer the due diligence process lasts, the greater the chance that their company’s valuation would be reduced, or the acquisition would fall through, Octrangal understood that they needed to act fast. So, they did what anyone would do in this situation, they called in the professionals.
With the help of an automated open source management solution, Octrangal managed to identify all open source components in their software within minutes, including all their dependencies.
The tool also provided Octrangal with all their components’ licenses, including those of the transitive variety. Therefore, Octrangal could now confirm that it adhered to all its components’ licenses, and that its codebase contained no copylefted GNU-GPL open source components, as per Elonix’s open source policy. However, there was one last thing Elonix required – they wanted all open source security issues to be put under the spotlight, and for good reason.
Don’t Forget Security
Open source audit is all about discovering open source license compliance issues, however detecting open source security vulnerabilities should also be on your agenda. If in doubt, we only need to look to Heartbleed. In the 2 years it took to discover, it’s anyone’s guess how many peoples’ sensitive information was put at risk, not to mention the $500 million it cost for companies to remediate the issue.
Discovering open source security issues is also not a simple task. Hundreds of CVEs are released every year. Consequently, if developers are tracking open source usage manually, they must not only find out which components are affected but also check which versions are impacted. That’s impractical, to say the least.
Luckily, Octrangal was ready. With the help of the automated solution, they managed to discover all open source components impacted by security vulnerabilities, together with mapping their remediation options, with a click of a button. This was no mean feat. For not only did the solution have to search the numerous sources (the NVD, security advisories, open source projects’ bug trackers) where open source security vulnerabilities are reported, it then had to accurately match those vulnerabilities with the open source components contained in Octrangal’s codebase.
Thankfully, with Octrangal completing its open source security audit, and Elonix’s due diligence requirements being satisfied, the acquisition went ahead. However, maybe Octrangal should have got its open source audit capabilities in order before it was compelled to?
An Open Source Audit Is for Life, Not Just for Christmas
While it’s undeniable that an open source audit is essential before any successful M&A or IPO, it’s no less important as part of a software team’s regular operations. Put it this way, if you have license compliance or security issues affecting your open source components, isn’t it better to identify and deal with those issues sooner rather than later?
Ultimately, an automated open source management solution is the way to go. With the correct tool in place, you can undertake an open source audit on-demand, and rectify any open source issues lurking in your code.