Software security vendor Synopsys has acquired fellow security vendor Black Duck Software for $565 million. The deal marks an end to 15 years of growth for Black Duck and is a good price for both companies. Although the deal is subject to regulatory approval, both companies are anticipating no issues. If all goes well it will complete by Christmas.
Andreas Kuehlmann, senior vice president and general manager of the Synopsys Software Integrity Group: “Our vision is to deliver a comprehensive platform that unifies best-in-class software security and quality solutions.
“Development processes continue to evolve and accelerate, and the addition of Black Duck will strengthen our ability to push security and quality testing throughout the software development lifecycle, reducing risk for our customers. We look forward to working with Black Duck’s experienced team as we drive our combined solution to the next level of value for our customers.”
What does Black Duck bring to Synopsys?
Black Duck has built its reputation on the management and security of open source solutions. It uses automation to track open source components and ensure that they are patched effectively. This is an area where many companies are struggling. The growth of open source solutions and components has lowered software development costs. However, it brings with it concerns over how secure these components are.
Many of those components end up embedded into solutions built by in-house developers. The documentation and tracking of the components is often poor. Black Duck makes it easy for organisations to understand where the components are being used. They can then apply any patches to solutions while also carrying out risk assessment of those patches.
Lou Shipley, President and CEO, Black Duck commented: “…despite the global dependence on open source, most companies are ineffective in securing and managing it because they lack good visibility into the oceans of open source software they are using. Organizations simply cannot effectively secure, control and manage what they can’t see.”
Licence compliance is another open source challenge. Black Duck has a licensing engine that allows companies to track what open source software they are using. This is more important than many people realise. There are a number of different licence models for using open source. Making sure that you are compliant with the model that applies to the software you are using is good business practice.
What does this mean?
This is a sensible and accretive addition to the Synopsys solution. A lot of software companies buy up smaller vendors to grow their customer base. There is often overlap between the acquired solution and what they already have. In this case there is very little overlap.
The focus on open source is what makes Black Duck so interesting for Synopsys. Many of Synopsys’ customers build embedded systems. Given the costs associated with these, there is an increasing interest in using open source software. It reduces the software development costs and gets products to market quicker. The problem, as we see every day with the Internet of Things, is that the speed of product design compromises security. This acquisition will allow Synopsys’ customers to know where those open source assets have been used, assess the security risk and patch where appropriate.