When Software is the Company, Tech Due Diligence is Critical

When Software is the Company, Tech Due Diligence is Critical

Best practices for a growing amount of firms involved in a merger/acquisition transaction (commonly known as an “M&A”) include a code audit whenever software is a significant part of the deal. And more and more firms are realizing that an open source code audit should be part of their overall tech due diligence process.

Why? In modern software development, code is rarely written from scratch. Forrester Research indicates that custom code now often comprises only 10 to 20 percent of many applications, with the remainder being previously developed code, third-party code, and increasingly, open source code as the core foundation for applications. In fact, Black Duck code audits indicate that 95 percent of code bases contain undisclosed open source.

Unfortunately, many open source components come with liabilities in their license agreements, and, according to the Forrester Wave™ on Software Composition Analysis, “one out of every sixteen open source download requests is for a component with a known vulnerability.”

The need to understand open source risk in a recent acquisition was the driver for the leading provider of patient medical financing options, AccessOne, to reach out to Black Duck by Synopsys for an open source code audit.

AccessOne Case Study: Gaining Visibility into Open Source Risk

“We wanted to assure that the target was keeping code current and identify any security or operational risk that could result from their use of open source,” AccessOne Chief Technology Officer Connor Gray told me late last year. “We also took advantage of the web services analysis that Black Duck provides. Those provide indicators of an organization’s rigor around their software process. If the target isn’t aware of what code is in their code base, it might be an indication that they are doing a sloppy job of code management. If they have developers putting code into the code base without the organization being aware of it, that poses significant risk.” 

As I previously noted, open source may come with legal obligations that go with the usage of that code. There also may be security vulnerabilities within the code. A Black Duck open source code audit is an automated process that discovers the open source components in a codebase, and the legal compliance issues related to those open source components, prioritizing any issues based on their severity. The audit also discovers known security vulnerabilities related to the open source components as well as operational risks such as versioning and duplications.

Given the value delivered to protect against the impact of a lawsuits, data attack or loss of value, Black Duck open source code audits are one of the most cost-effective risk mitigation strategies that a firm involved in an M&A transaction can undertake.  Black Duck performs hundreds of open source software audits for some of the largest organizations and most active acquirers in the world. By identifying open source code and third-party components and licenses, Black Duck can alert your firm to potential legal, operational, and security issues, and:

  • Avoid surprises
  • Mitigate legal exposure
  • Understand risks that may impact software asset values

“I’ve been through a number of different acquisitions, both as a buyer and a seller,” Gray says. “The thoroughness in the data that we got back from Black Duck is far beyond anything else that I’ve seen. I would say to any company involved in an M&A transaction that you really aren’t doing the job you need to do without something like a Black Duck audit to help you through it. I cannot imagine doing  a transaction without using Black Duck’s services.”

You can read the full AccessOne case study, “Gaining Visibility into Open Source Risk” here.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


SEC and Cybersec Risks, GDPR Looms, What’s Going on with the NVD?

| Feb 23, 2018

In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at

| MORE >

Big Data Breaches, Costly Cyberattacks, Vuln Detection for Kubernetes

| Feb 16, 2018

  This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and

| MORE >

Happy Birthday Open Source and Application Security for 2018

| Feb 9, 2018

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical

| MORE >