“There are many dimensions you need to examine in the technology of a company that you are acquiring,” Gray continues. “It’s important to be able to evaluate the licensing of the code they have in use. Our target was utilizing open source components. Identifying all those components and the different licensing types associated with the underlying source code was vital so that we could understand what risks and obligations potentially existed for us.
“We wanted to assure that the target was keeping code current and identify any security or operational risk that could result from their use of open source. We also took advantage of the web services analysis that the Black Duck audit team provides. This helped us evaluate what web services were being connected to, as well as potential licensing implications, authentication implications, and security around those various web services.
“All of those pieces provide indicators of an organization’s rigor they have around their software process. If the target isn’t aware of what code is in their code base, it might be an indication that they are doing a sloppy job of code management. If they have developers putting code into the code base without the organization being aware of it, that poses significant risk. It shows a general lack of control.”