Building trust in your software is important, but software trust is even more important in M&A transactions.
The Black Duck® Audit team is part of the Synopsys Software Integrity Group. And Synopsys is all about trust. The Synopsys mission is to help you build trust in your software.
There is nothing better than a good night’s sleep. And with the importance of software to almost every business today, concern about software risk can negatively impact your slumber. An estimated 99% of good sleepers trust that they won’t wake up to news of a breach or lawsuit or customer-impacting outage. Ok, that’s my estimate.
The elements of the software trust triangle are
Much like dating, the dance that precedes an M&A transaction is all about building mutual trust. And in a tech transaction, acquirers must fully trust the software they are taking on board because it embodies much of the value of the deal. Beyond the weekends and nights of work required by an M&A deal, there are plenty of concerns to keep everyone involved up at night.
A high degree of mutual trust must be established before due diligence starts—usually after months or more of engagement—because the diligence process really ups the ante on commitments and information exchange. Both sides must believe that the deal is going forward in order to justify such a big next step. Acquirers must trust that there are no big skeletons in the target’s closet. Targets must trust that the acquirers are ready to do the deal. Everyone must have some confidence that what they see is what they get.
Due diligence, then, is the verify part of “trust but verify.” Going into the process on a tech deal, the software is one of the bigger unknowns. Trust though they might, sellers are reluctant to share the details of their software even during diligence with the acquirer (often a would-be competitor) should the deal fall through. Many acquirers share a reciprocal concern: If the deal falls through, they don’t want to be suspected or accused of appropriating the target’s trade secrets in the code.
But assessing the software trust triangle—the composition and licenses, the security, and the quality of the software—requires analyzing the source code, the target’s most precious asset. Acquirers have concerns about risk in these areas. Because many targets of acquisitions lack adequate controls in their development processes, there are often software issues requiring remediation. For example, the “Open Source Risk in M&A by the Numbers” white paper found that 89% of transactions included open source components with license conflicts, and 97% contained known but unpatched security vulnerabilities.
The critical role of a trusted third party is to bridge the gap. It’s important that the acquirer trust that the third party will deliver a complete analysis of the trust triangle under the tight timelines of a typical due diligence effort (weeks, not months). But even more critical is the target’s trust that the third party will protect their intellectual property and give them a fair shake in the assessment.
Industry-trusted Synopsys Black Duck Audits enable buyers and sellers in an M&A transaction to build trust into software due diligence. While we don’t guarantee a good night’s sleep, we promise that there will be less to keep you up at night. Trust us; we got this.
Phil is the general manager of Synopsys’s Black Duck Audit business auditing the composition, security and quality of software for companies on both sides of M&A transactions. He focuses on software due diligence best practices and the M&A market. He also works closely with the company’s law firm partners and the open source community and is a frequent speaker on open source management and M&A. Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group which created an ISO standard for Software Bills of Materials (SBOMs). With decades of software industry experience, Phil held senior management positions at Hammer/Empirix and High Performance Systems, a startup in computer simulation modeling. He began his career in marketing and sales with Teradyne's electronic design and test automation (EDA) software group. He’s also written a book on fly fishing. Phil has an AB and an MS in engineering from Dartmouth College.