Part of the FOSSID business relates to pure services based on our software scanner. Using our own tools, we help customers with open source audits, finding the prevalence of open source components, files, and snippets and identifying their origin and adhering licenses. The most common use cases are private equity investment players and companies in the process of merging or acquiring another business, both of which are dependent of a technical due diligence to learn about the target company’s assets, liabilities, contracts, benefits, and risks.
The software due diligence process is a standard part of any merger or acquisition, and, given the many benefits of open source software, it is more of a rule than an exception to find a high percentage of such software in the analysis. Key elements necessary for passing the technical due diligence is code quality, intellectual property and licensing, and security, and for all these purposes, FOSSID provides in-depth data for the customer to consider in their decision making, and to help them sort out the possible inter-dependency and licensing issues that may surface.
Recently, the open source authority Ibrahim Haddad wrote the ebook “Open Source Audits in Merger and Acquisition Transactions”, which provides an overview and practical guide to open source audits, together with guidelines to improving open source compliance preparedness. He lists three audit methods:
- Traditional audit, in which the auditor gets complete access to all the code and executes the audit either remotely or on site.
- Blind audit, in which the auditor does the work remotely and without ever seeing the source code.
- “Do It Yourself” audit, where the target company or the acquirer performs most of the actual audit work themselves using the tools with the option for a random verification of results from the auditing company.
All of the methods have their place, as not all due diligences are the same, but one fundamental difference between FOSSID and other vendors is our pioneering solution in blind audits. We meet even the most stringent security and confidentiality requirements as the code of the target company is never exposed to neither the acquiring company, nor FOSSID as the auditing company. FOSSID doesn’t even need to know the identity of the target company.
No source code exposure
Ensuring maximum security and confidentiality.
No legal hassle
Clean cut, easy process to get the job done.
Blind audit, done remotely, without ever exposing the source code.
It is a much cleaner cut, without the need for additional Legal and infrastructure arrangements to be made, for the auditing company to get access to the source code, to upload and transfer it to the auditor’s servers, to perform the audit, and then removing the source code safely and securely.
As far as Ibrahim Haddad is aware, such an audit method is not offered by any other company offering open source compliance services.