Software due diligence: Before you buy it, look under the hood

Don’t overlook software due diligence during tech M&A. It’s the only way to know where the code came from and whether it has security or license issues.

Would you ever buy a car without looking under the hood? Or a house without having an inspector comb over every inch to check for potential problems you could run into down the road? No. This same investigative mentality should be applied when a company is evaluating whether or not to merge with, or acquire, another entity. While companies do due diligence to make sure there are no hidden financial problems, legal troubles, or even company culture clashes, one place they often overlook is the origin of a company’s software assets. Do you know where its code came from or whether there are security or license issues? Have you done your software due diligence?

Many software developers routinely take code from open source repositories to embed into their company’s products, in an effort to speed up the development process. While efficiency and cost savings associated with code reuse should be encouraged, very often incoming code may not be reviewed for potential security and ownership issues. This might not seem like a problem initially, but violations of open source licenses – like the widely used General Public License (GPL) – can be mounting in the code base that makes up a company’s core product line. The inclusion of GPL code, and other code under similar “copyleft” licenses, might go undetected for quite some time, but when it does show up—and it will—it can create significant problems for on both sides of the M&A transaction.

The takeaway for the acquiring company? During the M&A audit, software code, licensing, and security issues have to be checked and double-checked to confirm your company understands the license obligations (and restrictions) associated with the software your company is acquiring.

Why software due diligence?

For those being acquired, be warned that discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether. And this doesn’t apply strictly to M&A, if you’re looking to raise or borrow money, you better be sure your code is in order before you start opening the hood to potential investors or lenders since they too will want to be certain that you have the rights to the IP assets that you claim.

In Black Duck’s experience performing code audits for M&A due diligence, 75 percent of companies find unknown licenses. In fact, over 95 percent find open source that the target didn’t know was in there – and in 5 percent of cases, the deal never materializes because of what is found!

In order to avoid these potential M&A deal breakers, you should, at a minimum:

• Regularly scan your code, and the code of potential acquisition targets, to determine what open source components and licenses are in use
• Properly manage your use of open source by continually tracking it throughout the application development lifecycle, implementing clear policies and procedures around its use
• Ensure that you are compliance with all applicable open source licensing obligations

We can all agree on the many benefits that come with using open source software, yet companies need to keep in mind the critical importance of open source code analysis and compliance before it impacts the value of their software assets and potential impacts M&A transactions. This is no longer just an issue for engineers — code awareness and security affects the entire company and should not be taken lightly.