Last week Black Duck released the 2017 Open Source Security and Risk Analysis. This is a great piece of research that should be of interest to anyone involved in tech M&A. The theoretical risks associated with open source are clear: most companies use a lot of open source but don’t sufficiently track which components are in their code, leaving their applications susceptible to license, security, or operational problems. This report goes beyond the theoretical with hard data revealing issues discovered in real software.
The analysis was performed using anonymized results from more than 1000 code bases Black Duck audited last year, mostly assets of tech companies going through acquisition. Whether you are on the buy or sell side, this valuable study will give you a solid sense for what we typically find in the code of companies that are being looked at today. In short, last year almost every code base had a substantial amount of open source, much of it with legal and security issues best reviewed prior to a transaction.
The average amount of open source was 36%. When Black Duck started doing audits more than a decade ago, 10% was typical. On average, today's codebases contained 147 different open source components. 22% of the more than 1000 code bases contained more than 50% open source.
Clearly developers today are leveraging substantial quantities of open source when creating “proprietary code.” Acquirers should understand how well their targets are managing that code. Black Duck’s due diligence checklist is a useful starting point.
The driving concern behind digging into open source is most often license risk. Improper use of code under some licenses, notably the GPL family, can potentially compromise proprietary intellectual property. The substantial number of legal actions over GPL violations has made this particular license a primary focus of many audits.
75% of the code bases audited contained licenses from the GPL family. That’s not necessarily a problem as long as the code owner has met their obligations under the license. However, about 55% of code bases that employed GPL code were out of compliance. Many of the rest were SaaS-deployed applications which, to oversimplify, can include GPL code with less concern.
The net is that 85% of the code bases analyzed had license conflicts. In addition, the majority of codebases contained components with no clear license associated (which most attorneys would deem risky). In our experience, acquirers will look to have such issues cleaned up as part of the acquisition.
Much of the study focused on open source security vulnerabilities. While legal risk tends to be the main focus of our audit customers, many are keen to dig into security as well, particularly when acquiring a SaaS company that handles any kind of sensitive data. This is not a surprise given that 10 new vulnerabilities in open source components are discovered every day.
67% of codebases included open source components with known security vulnerabilities and on average contained 27 vulnerable components, many of high severity. The vast majority of these had been fixed in subsequent versions of the vulnerable component. The problem is that development organizations rarely have the capability to track and update components over time.
It’s no surprise that most companies are acquiring other companies where software is an important part of the valuation. Generally companies being acquired don’t have a solid handle on what open source they are using — we almost never get an accurate bill of materials from a target company. So, we advise sellers to be proactive and buyers to be prudent with an audit. On those rare occasions where we find no issues in a code base, everyone gets to breath a sigh of relief.
Our webinar on April 19 covered the report findings and more. Watch a recording of the webinar "Assessing Open Source Risk: An Imperative for M&A Professionals" now.