The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Black Duck Audit Preparation

There are many reasons why our customers conduct software audits. Whether an organization is the target of an acquisition, part of a supply chain, or preparing for a funding round by auditing code to document their software intellectual property assets, Black Duck Audits can help. The Black Duck audit services group has conducted thousands of software audits and developed an efficient and straightforward process to work with you and any companies that you may be working with.

This website details the process that we use to scope and deliver an audit. It clarifies the paperwork required by all parties, includes tools and documents that will help us evaluate the level of effort for your engagements, and answers frequently asked questions (FAQ).

Audit overview

During the audit process, our auditors analyze the output generated by one or more automated code scans. This analysis provides detailed information pertaining to one or more of the following audit types:

  • Open Source Audit. Focuses on open source license compliance for discoveries surrounding the licensing and use of open source software (OSS), including a detailed review of licensing obligations, usage scope, and compatibility contrasted with the license specified for the software being analyzed.
  • Code Quality Audit. Looks at the quality of software and focuses on the qualitative processes that development organizations use, along with a quantitative analysis of the codebase itself. This audit may include a custom analysis of scalability, databases, and/or architecture. Check with us if you have custom requirements.
  • Encryption Audit. Includes a cryptographic analysis and review to identify the use of encryption so that companies can ensure compliance with U.S. and other countries’ export regulations dealing with encryption.
  • Open Source Risk Assessment. Provides details on components that contain operational risks. The analysis identifies known security vulnerabilities associated with particular OSS components, highlights components that have fallen into disuse or are not well-supported, and shows version proliferation and the use of out-of-date versions of components. The report also provides a rating to help prioritize investigative or remediation work.

Depending on which audits are being done, the Black Duck audit group combines this data with additional findings to compile a report that documents instances of open source and certain third-party components relating to licensing, encryption, security vulnerabilities, and/or code quality. We can provide the report to the appropriate personnel, including legal counsel, management, and/or engineering teams, for review, as directed by the customer.