Tech Due Diligence: Helping PE Firms Invest with Confidence

Tech Due Diligence: Helping PE Firms Invest with Confidence

When the private equity industry was in its infancy in the 1980s, the tech sector was barely on its radar. Tech is now attracting all types of private equity firms, with the sector representing over 40 percent of US buyouts last year, a trend reflecting the global M&A market, in which tech is also the most popular sector.

Where's the Focus Before Final Acquisition?

In technology deals, one of the biggest areas of focus for PE firms before final acquisition is tech due diligence to help acquirers understand the intellectual property they’re buying. Savvy buyers will also put processes in place to maintain the value of the assets acquired and to ensure there are no issues with those assets when it’s time to divest.

“From our point of view, we want to understand the code we’re buying better, how robust it is and if there are any potential issues,” says Greg Holmes an investment executive in NorthEdge Capital, which manages £540m of private equity funds. “We’re interested in the open source nature of the code, whether there are any licensing issues, and identifying those issues up front to work through them.”


Read the NorthEdge Capital Case Study

An open source audit looks at specific risks and vulnerabilities that relate to the open source components within a code base. Open source may come with legal obligations that go with the usage of that code. There may be security vulnerabilities within the code. An open source code audit (also known as “software composition analysis”) is an automated process that discovers the open source components in a codebase, and all the legal compliance issues related to those open source components, prioritizing any issues based on their severity. The audit will also discover known security vulnerabilities related to the open source components as well as operational risks such as versioning and duplications.

Potential Risks

Getting to the root of potential risks associated with open source ahead of an event—be it acquisition, investment, divesture, or funding—is important to protecting IP value. But, what about the other third-party services that could have made their way into code and present additional unknown risks?

As with open source, companies often have little visibility into the web service APIs on which their applications depend. Similar to the licensing of open source, those applications may have problematic terms of service associated with them. Web services can also expose companies to potential data privacy or overall operational risks that could disrupt or severely impact business. Black Duck web service risk audits scan the code to provide a list of external web services utilized by an application, identifying  those web services that may introduce legal or privacy risk into your application.

Best practices for a growing amount of PE include such audits whenever software assets are a significant part of the deal valuation to ensure the quality, integrity and security of the intellectual property they’re buying. Both investment bankers and PE firms realize that a code audits should be part of the overall tech due diligence process.

Find a Trusted Advisor

Black Duck often acts as a trusted advisor for both sides of the transaction. From the buyer’s perspective, they want assurances the code they’re purchasing doesn’t have unidentified open source licensing, security, or code quality risks. On the seller’s side, their source code is often the company’s lifeblood, and they need a high degree of confidence that code won’t be disclosed.

“We go to experts like Black Duck to verify that there are no issues within the software asset,” says Holmes. “And that’s the value of Black Duck—that at day’s end we have assurance that there’s no red flags or potential issues, or conversely if there had been issues to have them brought out before the deal is completed.”

Read the full customer profile on how Black Duck by Synopsys is helping NorthEdge Capital make tech investments with confidence—alerting the firm to potential legal, operational, and security issues in acquisitions and sales by identifying open source code and third-party components and licenses.

Black Duck Web Service Risk Audits


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Securing IoT, Atlanta Ransomware Attack, Congress on Cybersecurity

| Mar 30, 2018

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April.  You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best

| MORE >

GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open Source Rookies

| Mar 23, 2018

A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source

| MORE >

Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >