Posted by Fred Bals on Tuesday, February 27th, 2018
When the private equity industry was in its infancy in the 1980s, the tech sector was barely on its radar. Tech is now attracting all types of private equity firms, with the sector representing over 40 percent of US buyouts last year, a trend reflecting the global M&A market, in which tech is also the most popular sector.
In technology deals, one of the biggest areas of focus for PE firms before final acquisition is tech due diligence to help acquirers understand the intellectual property they’re buying. Savvy buyers will also put processes in place to maintain the value of the assets acquired and to ensure there are no issues with those assets when it’s time to divest.
“From our point of view, we want to understand the code we’re buying better, how robust it is and if there are any potential issues,” says Greg Holmes an investment executive in NorthEdge Capital, which manages £540m of private equity funds. “We’re interested in the open source nature of the code, whether there are any licensing issues, and identifying those issues up front to work through them.”
An open source audit looks at specific risks and vulnerabilities that relate to the open source components within a code base. Open source may come with legal obligations that go with the usage of that code. There may be security vulnerabilities within the code. An open source code audit (also known as “software composition analysis”) is an automated process that discovers the open source components in a codebase, and all the legal compliance issues related to those open source components, prioritizing any issues based on their severity. The audit will also discover known security vulnerabilities related to the open source components as well as operational risks such as versioning and duplications.
Getting to the root of potential risks associated with open source ahead of an event—be it acquisition, investment, divesture, or funding—is important to protecting IP value. But, what about the other third-party services that could have made their way into code and present additional unknown risks?
As with open source, companies often have little visibility into the web service APIs on which their applications depend. Similar to the licensing of open source, those applications may have problematic terms of service associated with them. Web services can also expose companies to potential data privacy or overall operational risks that could disrupt or severely impact business. Black Duck web service risk audits scan the code to provide a list of external web services utilized by an application, identifying those web services that may introduce legal or privacy risk into your application.
Best practices for a growing amount of PE include such audits whenever software assets are a significant part of the deal valuation to ensure the quality, integrity and security of the intellectual property they’re buying. Both investment bankers and PE firms realize that a code audits should be part of the overall tech due diligence process.
Black Duck On-Demand often acts as a trusted advisor for both sides of the transaction. From the buyer’s perspective, they want assurances the code they’re purchasing doesn’t have unidentified open source licensing, security, or code quality risks. On the seller’s side, their source code is often the company’s lifeblood, and they need a high degree of confidence that code won’t be disclosed.
“We go to experts like Black Duck to verify that there are no issues within the software asset,” says Holmes. “And that’s the value of Black Duck—that at day’s end we have assurance that there’s no red flags or potential issues, or conversely if there had been issues to have them brought out before the deal is completed.”
Read the full customer profile on how Black Duck by Synopsys is helping NorthEdge Capital make tech investments with confidence—alerting the firm to potential legal, operational, and security issues in acquisitions and sales by identifying open source code and third-party components and licenses.
Get the latest AppSec news and trends sent directly to you.