Posted by Fred Bals on Tuesday, January 23rd, 2018
AccessOne CTO Connor Gray knows that tech due diligence is essential in an M&A to learn about the potential security and operational risks from a target’s use of open source.
Best practices for a growing amount of firms involved in a merger/acquisition transaction (commonly known as an M&A) include a code audit whenever software is a significant part of the deal. And more and more firms are realizing that an open source code audit should be part of their overall tech due diligence process.
Why? In modern software development, code is rarely written from scratch. Forrester Research indicates that custom code now often comprises only 10%–20% of many applications, with the remainder being previously developed code, third-party code, and increasingly, open source code as the core foundation for applications. In fact, Black Duck code audits indicate that 95% of codebases contain undisclosed open source.
Unfortunately, many open source components come with liabilities in their license agreements. And according to the Forrester Wave™ on Software Composition Analysis, “One out of every sixteen open source download requests is for a component with a known vulnerability.”
The need to understand open source risk in a recent acquisition was the driver for the leading provider of patient medical financing options, AccessOne, to reach out to Black Duck by Synopsys for an open source code audit.
“We wanted to assure that the target was keeping code current and identify any security or operational risk that could result from their use of open source,” AccessOne chief technology officer Connor Gray told me late last year. “We also took advantage of the web services analysis that Black Duck On-Demand provides. Those provide indicators of an organization’s rigor around their software process. If the target isn’t aware of what code is in their code base, it might be an indication that they are doing a sloppy job of code management. If they have developers putting code into the code base without the organization being aware of it, that poses significant risk.”
As I previously noted, open source may come with legal obligations that go with the usage of that code. There also may be security vulnerabilities within the code. A Black Duck On-Demand open source code audit is an automated process that discovers the open source components in a codebase, and the legal compliance issues related to those open source components, prioritizing any issues based on their severity. The audit also discovers known security vulnerabilities related to the open source components as well as operational risks such as versioning and duplications.
Given the value delivered to protect against the impact of a lawsuit, data attack, or loss of value, Black Duck On-Demand open source code audits are one of the most cost-effective risk mitigation strategies that a firm involved in an M&A transaction can undertake. Black Duck On-Demand performs hundreds of open source software audits for some of the largest organizations and most active acquirers in the world. By identifying open source code and third-party components and licenses, Black Duck On-Demand can alert your firm to potential legal, operational, and security issues. That way, you can:
“I’ve been through a number of different acquisitions, both as a buyer and a seller,” Gray says. “The thoroughness in the data that we got back from Black Duck On-Demand is far beyond anything else that I’ve seen. I would say to any company involved in an M&A transaction that you really aren’t doing the job you need to do without something like a Black Duck On-Demand audit to help you through it. I cannot imagine doing a transaction without using Black Duck On-Demand’s services.”
Get the latest AppSec news and trends sent directly to you.