If your company plans to be involved with a merger and acquisition (M&A) transaction at some point, either as seller or buyer, you will want to involve your organization’s general counsel or seek outside legal advice, as understanding licensing terms and conditions and identifying conflicts among various licenses can be challenging. It’s vital to get this right the first time—especially if you build packaged or embedded software—because license terms are often more explicit for shipped software and harder to mitigate after the fact.
Knowing what open source code is in a company’s codebase is crucial for properly managing its use and reuse, ensuring compliance with software licenses, and staying on top of patching vulnerabilities—all essential steps in reducing business risk. From an M&A perspective, a code audit enables a buyer to understand risks in the software that could affect the value of the intellectual property and the remediation required to address those risks. Sellers may employ an audit proactively to avoid surprises in due diligence, particularly given the amount of unknown open source in a typical company’s code. An open source audit can be invaluable for companies wanting a better understanding of the code’s composition. Using Black Duck SCA, expert auditors comprehensively identify the open source components in a codebase and flag legal compliance issues related to those components, prioritizing issues based on their severity.
The audit discovers known security vulnerabilities that affect the open source components, as well as information such as versions, duplications, and the state of a component’s development activity. It also provides clues as to the sophistication of a target’s software development processes. Open source is so ubiquitous today that if a company isn’t managing that part of software development well, it raises questions as to how well it is managing other aspects.
If you’re on the buy side of a tech M&A transaction, an open source audit should be part of the software due diligence process. Acquirers need to identify problematic open source in the target’s code before the transaction terms are set, and a trusted third-party audit is the best way to get a deep, comprehensive view. Sellers should prepare for questions about the composition of their code and how well they have managed open source security and license risk. Proactive sellers can prepare for an acquisition by having their software audited in advance.
By identifying open source code and third-party components and licenses, an open source audit can alert your firm to potential legal and security issues in an M&A transaction. With an open source audit, you can
- Avoid surprises
- Mitigate legal exposure
- Understand risks that may affect software asset values
- Resolve potential issues before they affect the transaction
- Build appropriate protections into the deal terms
- Plan integration and remediation of seller/buyer code
Significant monetary and brand risk can be buried in the open source components of acquired code. Evaluating that risk as part of an acquirer’s due diligence must be a factor in the decision-making process of an M&A.