Software audit for acquisition due diligence with nexB

45 %
55 %
Information about Software audit for acquisition due diligence with nexB
Business & Mgmt

Published on March 6, 2014

Author: nexB

Source: slideshare.net

Description

nexB provides products and services for software component management and license compliance.
We have unique expertise in complex embedded devices and large server-based or appliance-based software products.
We help companies determining what is in their software or in software provided by their suppliers.
For more information, please visit www.nexb.com.

nexB - Software Audit for 
 Acquisition Due Diligence © 2014 nexB Inc.

Agenda •  About nexB –  –  •  What nexB does Our experience Software Audit: M&A –  –  Software Audit Process –  •  License Violation Risks & Recent Audit Issues Software Audit Tools Additional Information –  Why nexB? –  Contact us –  Lessons Learned © 2014 nexB Inc.

About nexB What nexB does •  Enable component-based software development –  Software provenance analysis services –  Software asset management tools •  •  –  –  Acquisitions Software product releases Expertise in all software IP •  © 2014 nexB Inc. Software audit services Active OSS developers

About nexB Our experience is our difference •  nexB recognized by the buyers and target companies as: –  experts in software origin analysis –  a fair and trusted intermediary •  nexB identifies issues along with practical remediation steps •  300+ software audit projects completed to-date © 2014 nexB Inc.

Software audit: M&A License Violation Risks Free Software source code available Binary-only (Proprietary) Adobe 
 Reader many Java
 libraries Freeware / 
 Shareware source with limitations (Proprietary) FOSS Attribution Copyleft Microsoft 
 Sun
 shared source SCSL BSD GNU GPL GNU LGPL CDDL MPL © 2014 nexB Inc. EPL Apache MIT

Software audit: M&A Recent Audit Issue Examples •  Dependency Issue “Workarounds” •  License violation © 2014 nexB Inc.

Software audit: M&A Emerging Audit Issue Examples •  Cloud computing and Dual Licensing •  Personal Devices and Application store markets © 2014 nexB Inc.

Software audit: M&A Software Audit Process © 2014 nexB Inc.

Software audit: M&A Software Analysis Scope Commercial Code Original Code Open Source Code © 2014 nexB Inc.

Software audit: M&A Software Analysis Deliverables •  Complete inventory of OSS and third-party components in Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for resolution that can be factored into the deal terms –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination” •  Checklist of commercial components as input to due diligence for contract review •  Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial) © 2014 nexB Inc.

Software audit: M&A Preparation – 1 week (1/2) •  Establish NDA with seller –  Two-way or three-way •  Scope audit effort –  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code •  •  Prepare/agree quote – always fixed fee, no surprises Schedule project © 2014 nexB Inc.

Software audit: M&A Preparation (2/2) è Many targets are anxious about the process –  General level of anxiety is inversely proportional to prior M&A experience of executives –  We do some hand holding to make them feel comfortable –  Assure seller that they review all findings first so no surprises –  Explain the process and tools to the seller © 2014 nexB Inc.

Software audit: M&A License & Origin Analysis – 2 weeks (1/2) Analysis Activities •  Scan files for license, copyright and other origin clues •  Match target code to reference code repository for origin and license detection (based on digital “fingerprints”) •  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code •  Analyze software interaction and dependency patterns for copyleftlicensed components as needed •  Additional domain-specific investigations typically for embedded devices and applications of media codecs © 2014 nexB Inc.

Software audit: M&A License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations © 2014 nexB Inc.

Software audit: M&A Review & Report – 1 week (1/2) Activities •  Review draft findings with product team –  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit –  Incorporate feedback and answers from product team into the Software BOM and Report –  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s. •  Complete final report –  Second review cycle with product team –  Release the report –  Conference call with buyer to present findings & answer questions © 2014 nexB Inc.

Software audit: M&A Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.

Software audit: M&A Software Audit Tools •  nexB typically uses a combination of tools for a software audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open source or commercial) •  Multiple layers of analysis –  Direct scan for license and copyright notices –  Component matching for open source and publicly available thirdparty components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed •  Review and validation by software experts •  All require expert humans to interpret the results! © 2014 nexB Inc.

Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution and seller Responses © 2014 nexB Inc.

Additional Information Why nexB (2/2) •  Trusted third party –  Mitigates confidentiality concerns of a seller company –  Maintains proper segregation of information during acquisition negotiations –  Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.

Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager
 plapointe@nexb.com
 + 1 415 287-7643 More information: http://www.nexb.com/ © 2014 nexB Inc.

Additional Information Lessons Learned – Acquisitions (1/2) •  Schedule is always a major issue •  Initiate a software audit early because –  Seller company will probably not have done this before –  Negotiation of an NDA takes longer than you expect –  Negotiation of access to artifacts and people takes longer than you think •  The review of findings and recommendations may require several iterations with target company –  Get answers for open issues –  Get agreement about remediation strategies –  Get agreement that report is objective and reasonable © 2014 nexB Inc.

Additional Information Lessons Learned – Acquisitions (2/2) •  Identify the “crown jewels” and key platforms of the seller technology –  Concentrate the audit on the most important parts –  For products with multiple operating system versions, focus on the most important platforms •  Some issues can be specific to the open source policies of the Buyer –  For instance tolerance for certain version of open source licenses or proprietary Linux drivers varies among companies –  We apply Buyer company policies if available, –  Otherwise we apply “conservative” community standards –  Exceptional cases may require additional discussion with legal and and business teams to evaluate the risks © 2014 nexB Inc.

Add a comment

Related presentations

Related pages

Acquisition Due Diligence Audit Process - Open Source Due ...

Software Audit Issues for Acquisition Due Diligence. When you consider acquiring a company, you need to know about any software licensing risks associated ...
Read more

Open Source and Third-Party Software Audit Services | nexB

nexB offers software audit services for companies ... We frequently perform a comprehensive turnkey analysis for an acquisition due diligence audit project ...
Read more

IT Due Diligence Guide: Make an Informed Technology Investment

... conducting IT due diligence during a merger or acquisition; ... source software and how it impacts IT due diligence. ... IT Due Diligence Guide is a ...
Read more

Acquisition & Due Diligence | LinkedIn

Acquisition Due Diligence Specialist at LifeStorage Past Executive Assistant at Crescendo Properties, Executive Assistant at Robert Powell Companies Education
Read more

Acquisition And Due Diligence | LinkedIn

Acquisition And Due Diligence. Articles, experts, ... Acquisition Due Diligence Specialist at LifeStorage Past Executive Assistant at Crescendo Properties, ...
Read more

Open Source and Third-Party Software Audit Services | nexB

Keywords: software audit, nexB, open source license management, software audit for acquisition due diligence, software audit for product release, open ...
Read more

How to handle software due diligence - StartupJuncture

How to handle software due diligence . ... many buyers insist on a software due diligence: ... Another company that does audits is Black Duck software.
Read more

M&A Due Diligence - Black Duck Home : Open Source Software ...

... and thorough analysis of software ... and acquisitions) ... Source Audits augment your own due diligence efforts to help you quickly ...
Read more