KPMG Open Source Software capabilities | KPMG | US
Share with your friends

Software composition analysis | KPMG capabilities

Software composition analysis | KPMG capabilities

Open source license compliance and vulnerability management




KPMG in the U.S.


Related content


Open source license compliance and vulnerability management - Why does it matter?

Today, developers are leveraging more than 50 percent of open source software (OSS) in their proprietary applications. This speeds up time to market, drives innovations, and revolutionizes the technology world.

In this new environment, security vulnerabilities, data breaches, and compliance lawsuits are real concerns. Organizations have to manage OSS assets proactively to manage security and license risk.

With the proliferation of OSS components in today’s development environment, it is imperative that regular and timely audits are conducted of software developed, used, and distributed by the organization to detect vulnerability and compliance risks.

Powered by Flexera’s FlexNet Code Insight, KPMG software composition analysis assists global organizations in discovering and understanding the use and impact of OSS components in their applications. We conduct OSS audits of an organization’s most critical code. Our approach strategically aligns with our clients’ business priorities, security, and compliance needs.

Coming out of the audit, organizations will get a detailed software bill of materials (BOM), with a deep understanding of the footprint of OSS, any known vulnerabilities that need to be patched, and risks around licensing that need to be addressed. These are essential for all organizations that build software. It is especially imperative for technology firms to include this as part of the technical due diligence process prior to making a software-related acquisition.

Our services

KPMG software composition analysis is based on Flexera’s FlexNet Code Insight (formerly Palamida) platform.

  • M&A due diligence: Preacquisition due diligence (OSS license obligation), postacquisition deep dive (OSS license obligation/ vulnerability detection assessment).
  • Baselines/investigations: Software bill of material (BOM), OSS license obligations, vulnerabilities detection, and SDLC process reengineering to embed continuous OSS usage monitoring.

Auditor independence KPMG complies with the auditor independence rules of the AICPA, SEC, PCAOB and DOL. As a result, certain alliance-based solutions cannot be offered by KPMG to our audit clients. KPMG audit clients should check with their respective lead audit partner for more information.

Connect with us


Request for proposal