When Software is the Company, Tech Due Diligence is Critical

When Software is the Company, Tech Due Diligence is Critical

Best practices for a growing amount of firms involved in a merger/acquisition transaction (commonly known as an “M&A”) include a code audit whenever software is a significant part of the deal. And more and more firms are realizing that an open source code audit should be part of their overall tech due diligence process.

Why? In modern software development, code is rarely written from scratch. Forrester Research indicates that custom code now often comprises only 10 to 20 percent of many applications, with the remainder being previously developed code, third-party code, and increasingly, open source code as the core foundation for applications. In fact, Black Duck code audits indicate that 95 percent of code bases contain undisclosed open source.

Unfortunately, many open source components come with liabilities in their license agreements, and, according to the Forrester Wave™ on Software Composition Analysis, “one out of every sixteen open source download requests is for a component with a known vulnerability.”

The need to understand open source risk in a recent acquisition was the driver for the leading provider of patient medical financing options, AccessOne, to reach out to Black Duck by Synopsys for an open source code audit.

AccessOne Case Study: Gaining Visibility into Open Source Risk

“We wanted to assure that the target was keeping code current and identify any security or operational risk that could result from their use of open source,” AccessOne Chief Technology Officer Connor Gray told me late last year. “We also took advantage of the web services analysis that Black Duck provides. Those provide indicators of an organization’s rigor around their software process. If the target isn’t aware of what code is in their code base, it might be an indication that they are doing a sloppy job of code management. If they have developers putting code into the code base without the organization being aware of it, that poses significant risk.” 

As I previously noted, open source may come with legal obligations that go with the usage of that code. There also may be security vulnerabilities within the code. A Black Duck open source code audit is an automated process that discovers the open source components in a codebase, and the legal compliance issues related to those open source components, prioritizing any issues based on their severity. The audit also discovers known security vulnerabilities related to the open source components as well as operational risks such as versioning and duplications.

Given the value delivered to protect against the impact of a lawsuits, data attack or loss of value, Black Duck open source code audits are one of the most cost-effective risk mitigation strategies that a firm involved in an M&A transaction can undertake.  Black Duck performs hundreds of open source software audits for some of the largest organizations and most active acquirers in the world. By identifying open source code and third-party components and licenses, Black Duck can alert your firm to potential legal, operational, and security issues, and:

  • Avoid surprises
  • Mitigate legal exposure
  • Understand risks that may impact software asset values

“I’ve been through a number of different acquisitions, both as a buyer and a seller,” Gray says. “The thoroughness in the data that we got back from Black Duck is far beyond anything else that I’ve seen. I would say to any company involved in an M&A transaction that you really aren’t doing the job you need to do without something like a Black Duck audit to help you through it. I cannot imagine doing  a transaction without using Black Duck’s services.”

You can read the full AccessOne case study, “Gaining Visibility into Open Source Risk” here.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Securing IoT, Atlanta Ransomware Attack, Congress on Cybersecurity

| Mar 30, 2018

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April.  You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best

| MORE >

GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open Source Rookies

| Mar 23, 2018

A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source

| MORE >

Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >