close search bar

Sorry, not available in this language yet

close language selection

Software due diligence for PE & VC investors

Zvi Levitas

Jul 28, 2023 / 3 min read

Software due diligence is a vital process for private equity (PE) and venture capital (VC) investors who want to finance high-growth start-ups in the software industry. It can help uncover value creation opportunities, reduce R&D risk, and support deal execution. Properly done, it will provide a good picture of the quality, scalability, and sustainability of the software products and services offered by the target company. By conducting a thorough software due diligence, investors can make informed decisions, protect themselves in the deal terms and plan to address technical shortcomings in anticipation of ultimate divesture. Software due diligence has become a standard part of tech mergers and acquisitions (M&A) transactions and understanding what is in a codebase ensures that the software is an asset, not a liability.

Important considerations when assessing targets’ software

The target's more overarching processes and practices must be assessed, along with a deeper look at the actual code.

  • Process and Organization:
  • Code:
    • The quality, architecture, scalability, sustainability of software products.
    • The software licenses and agreements that the target company has with other parties, such as open source, suppliers, vendors, or partners.
    • The software products' security posture, at a high-level/ from a white box perspective.

An optimal approach to inform an investment or buyout decision

  • Software Development Audit: A qualitative analysis of the development practices and the organization as a whole,  including coding standards, processes, and tools. This kind of assessment is based primarily on interviews and comprehensive review of documentation and artifacts, and it leans heavily on the broad expertise of experienced software consultants. Understanding a target’s practices and capabilities provides a forward look into the promise of future software development.
  • Code Audits: Complementing the qualitative process evaluation, evaluating what’s in the code reveals the results of past practices and identifies technical debt the company will need to “pay off” going forward. As suggested above, there are multiple facets to be examined in the code and the depth of analysis can vary given the investment scenario.
    • Open source & 3rd party code: Depending on the target, its sophistication and the investment scenario, open source & 3rd party code evaluation may range from a high-level, automated scan to a comprehensive, expert-driven audit. (Read more in: The top three differences between an open source audit and an open-source scan). PE & VC investment professionals sometimes take the high-level approach to inform the transaction. Once the transaction is closed, they may opt for a deeper dive analysis  to enhance development capabilities by implementing sophisticated tools that can address the overall software composition of an application, as discussed in Navigating software due diligence with a Black Duck Audit.
    • Quality: Understanding how software is developed and identifying the sections of the codebase that are heavy with technical debt can help Investors assess software risks during an M&A.
      • Design Quality Audits use experienced architects and powerful architectural analysis tools to assess overall architecture in terms of modularity and hierarchy.. The report includes an analysis of how the architecture affects maintainability and identifies potential risk areas that are candidates for code refactoring (technical debt). Our blog,  Assessing design quality for better software due diligence, discusses this in more depth.
      • Code Quality Audits evaluate on how well the code is written. The code quality audit combines quantitative analysis using static analysis tools and expert code review with results compared to industry benchmarks.
    • Application Security: A Secure Design Review Audit (SDR) is based on a series of interviews by a security architect. The SDR evaluates the design of key security controls, including password storage, identity and access management, and use of cryptography, against industry best practices to determine whether such components/factors are misconfigured, weak, misused, or missing. SDR audits find system defects related to security controls in the design of the application. A deeper look involves static testing and penetration testing. Targets may be able to provide reports from third party pen tests.

Scoping & Timescales

Evaluating all aspects of a target’s technology could extend indefinitely and go infinitely deep, so it is important to scope optimally with the deal scenario in mind. The right package may prioritize certain applications and/or certain risk areas, depending on the scenario.

A typical timeline for a full software due diligence is 2-3 weeks.

The scope of our open source and third party code reviews is based primarily on the amount of code. More and larger applications and more open source-heavy languages generally mean greater scope. Similarly, multiple applications will scale the effort of application security analysis.

Software quality audits are driven by the number of languages. Typically, there will be multiple languages employed in an application. But often the scenario will dictate focus on a core language.

With offices on the US West and East coasts and Europe, Black Duck Audits support investment professionals across the globe. We drive and tailor software due diligence efforts to ensure that private equity and venture capital firms are confident with their investments, and that such processes help yield the true value of a deal and the successful execution of plans moving forward.

Continue Reading

Explore Topics