Software audit for acquisition due diligence with nexB

45 %
55 %
Information about Software audit for acquisition due diligence with nexB
Business & Mgmt

Published on March 6, 2014

Author: nexB



nexB provides products and services for software component management and license compliance.
We have unique expertise in complex embedded devices and large server-based or appliance-based software products.
We help companies determining what is in their software or in software provided by their suppliers.
For more information, please visit

nexB - Software Audit for 
 Acquisition Due Diligence © 2014 nexB Inc.

Agenda •  About nexB –  –  •  What nexB does Our experience Software Audit: M&A –  –  Software Audit Process –  •  License Violation Risks & Recent Audit Issues Software Audit Tools Additional Information –  Why nexB? –  Contact us –  Lessons Learned © 2014 nexB Inc.

About nexB What nexB does •  Enable component-based software development –  Software provenance analysis services –  Software asset management tools •  •  –  –  Acquisitions Software product releases Expertise in all software IP •  © 2014 nexB Inc. Software audit services Active OSS developers

About nexB Our experience is our difference •  nexB recognized by the buyers and target companies as: –  experts in software origin analysis –  a fair and trusted intermediary •  nexB identifies issues along with practical remediation steps •  300+ software audit projects completed to-date © 2014 nexB Inc.

Software audit: M&A License Violation Risks Free Software source code available Binary-only (Proprietary) Adobe 
 Reader many Java
 libraries Freeware / 
 Shareware source with limitations (Proprietary) FOSS Attribution Copyleft Microsoft 
 shared source SCSL BSD GNU GPL GNU LGPL CDDL MPL © 2014 nexB Inc. EPL Apache MIT

Software audit: M&A Recent Audit Issue Examples •  Dependency Issue “Workarounds” •  License violation © 2014 nexB Inc.

Software audit: M&A Emerging Audit Issue Examples •  Cloud computing and Dual Licensing •  Personal Devices and Application store markets © 2014 nexB Inc.

Software audit: M&A Software Audit Process © 2014 nexB Inc.

Software audit: M&A Software Analysis Scope Commercial Code Original Code Open Source Code © 2014 nexB Inc.

Software audit: M&A Software Analysis Deliverables •  Complete inventory of OSS and third-party components in Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for resolution that can be factored into the deal terms –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination” •  Checklist of commercial components as input to due diligence for contract review •  Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial) © 2014 nexB Inc.

Software audit: M&A Preparation – 1 week (1/2) •  Establish NDA with seller –  Two-way or three-way •  Scope audit effort –  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code •  •  Prepare/agree quote – always fixed fee, no surprises Schedule project © 2014 nexB Inc.

Software audit: M&A Preparation (2/2) è Many targets are anxious about the process –  General level of anxiety is inversely proportional to prior M&A experience of executives –  We do some hand holding to make them feel comfortable –  Assure seller that they review all findings first so no surprises –  Explain the process and tools to the seller © 2014 nexB Inc.

Software audit: M&A License & Origin Analysis – 2 weeks (1/2) Analysis Activities •  Scan files for license, copyright and other origin clues •  Match target code to reference code repository for origin and license detection (based on digital “fingerprints”) •  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code •  Analyze software interaction and dependency patterns for copyleftlicensed components as needed •  Additional domain-specific investigations typically for embedded devices and applications of media codecs © 2014 nexB Inc.

Software audit: M&A License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations © 2014 nexB Inc.

Software audit: M&A Review & Report – 1 week (1/2) Activities •  Review draft findings with product team –  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit –  Incorporate feedback and answers from product team into the Software BOM and Report –  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s. •  Complete final report –  Second review cycle with product team –  Release the report –  Conference call with buyer to present findings & answer questions © 2014 nexB Inc.

Software audit: M&A Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.

Software audit: M&A Software Audit Tools •  nexB typically uses a combination of tools for a software audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open source or commercial) •  Multiple layers of analysis –  Direct scan for license and copyright notices –  Component matching for open source and publicly available thirdparty components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed •  Review and validation by software experts •  All require expert humans to interpret the results! © 2014 nexB Inc.

Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution and seller Responses © 2014 nexB Inc.

Additional Information Why nexB (2/2) •  Trusted third party –  Mitigates confidentiality concerns of a seller company –  Maintains proper segregation of information during acquisition negotiations –  Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.

Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager
 + 1 415 287-7643 More information: © 2014 nexB Inc.

Additional Information Lessons Learned – Acquisitions (1/2) •  Schedule is always a major issue •  Initiate a software audit early because –  Seller company will probably not have done this before –  Negotiation of an NDA takes longer than you expect –  Negotiation of access to artifacts and people takes longer than you think •  The review of findings and recommendations may require several iterations with target company –  Get answers for open issues –  Get agreement about remediation strategies –  Get agreement that report is objective and reasonable © 2014 nexB Inc.

Additional Information Lessons Learned – Acquisitions (2/2) •  Identify the “crown jewels” and key platforms of the seller technology –  Concentrate the audit on the most important parts –  For products with multiple operating system versions, focus on the most important platforms •  Some issues can be specific to the open source policies of the Buyer –  For instance tolerance for certain version of open source licenses or proprietary Linux drivers varies among companies –  We apply Buyer company policies if available, –  Otherwise we apply “conservative” community standards –  Exceptional cases may require additional discussion with legal and and business teams to evaluate the risks © 2014 nexB Inc.

Add a comment

Related presentations

Canvas Prints at Affordable Prices make you smile.Visit http://www.shopcanvasprint...

30 Días en Bici en Gijón organiza un recorrido por los comercios históricos de la ...

Con el fin de conocer mejor el rol que juega internet en el proceso de compra en E...

With three established projects across the country and seven more in the pipeline,...

Retailing is not a rocket science, neither it's walk-in-the-park. In this presenta...

What is research??

What is research??

April 2, 2014

Explanatory definitions of research in depth...

Related pages

Acquisition Due Diligence Audit Process - Open Source Due ...

Software Audit Issues for Acquisition Due Diligence. When you consider acquiring a company, you need to know about any software licensing risks associated ...
Read more

Open Source and Third-Party Software Audit Services | nexB

nexB offers software audit services for companies ... We frequently perform a comprehensive turnkey analysis for an acquisition due diligence audit project ...
Read more

IT Due Diligence Guide: Make an Informed Technology Investment

... conducting IT due diligence during a merger or acquisition; ... source software and how it impacts IT due diligence. ... IT Due Diligence Guide is a ...
Read more

Acquisition & Due Diligence | LinkedIn

Acquisition Due Diligence Specialist at LifeStorage Past Executive Assistant at Crescendo Properties, Executive Assistant at Robert Powell Companies Education
Read more

Acquisition And Due Diligence | LinkedIn

Acquisition And Due Diligence. Articles, experts, ... Acquisition Due Diligence Specialist at LifeStorage Past Executive Assistant at Crescendo Properties, ...
Read more

Open Source and Third-Party Software Audit Services | nexB

Keywords: software audit, nexB, open source license management, software audit for acquisition due diligence, software audit for product release, open ...
Read more

How to handle software due diligence - StartupJuncture

How to handle software due diligence . ... many buyers insist on a software due diligence: ... Another company that does audits is Black Duck software.
Read more

M&A Due Diligence - Black Duck Home : Open Source Software ...

... and thorough analysis of software ... and acquisitions) ... Source Audits augment your own due diligence efforts to help you quickly ...
Read more