Webinar–The State of Open Source in M&A Transactions

CHRIS STAFFORD
Senior Manager,
Mergers & Acquisitions
West Monroe Partners
The State of Open Source
in M&A Transactions
PAUL COTTER
Senior Architect,
Cybersecurity
West Monroe Partners

© 2019 Synopsys, Inc. 2
© 2019 Synopsys, Inc.2
Synopsys Confidential Information
Three critical trends
OSS management should
fit into a broader security
program
Sellers need to be prepared
well in advance of a
transaction
Buyers are becoming more
focused and sophisticated
during a transaction

About West Monroe Partners
O U R G L O B A L N E T W O R K S O F T W A R E & H I G H - T E C H A D V I S O R S
CARVE OUT READINESS & EXECUTION
DUE DILIGENCE
SELL-SIDE READINESS
MERGER INTEGRATION
VALUE CREATION
NORTH AMERICA
GLOBAL
NETWORK
LATIN AMERICA
EMEA & ASIA
GROWTH STRATEGY
OPS TRANSFORMATION
CUSTOMER SUCCESS
PRODUCT/R&D
IT/OPS/CYBER

Over LTM, West Monroe advised on 450 transactions, 150 software transactions,
and directly advised over 75 PE-backed software portfolio companies
Aerospace + Defense
Banking + Insurance
Business Products + Services
Capital Markets + Trading
Education
Energy + Utilities
Food + Food Distribution
Healthcare + Life Sciences
High Tech + Software
Manufacturing + Distribution
Private Equity + Alternative Investments
Professional Services
Public Services
Real Estate
Retail
Telecommunications + Media
OtherHIGH TECH
& SOFTWARE
MANUFACTURING
& DISTRIBUTION
HEALTHCARE &
LIFE SCIENCES

OSS management & DevSecOps

While an OSS audit in diligence is important, ongoing license
governance is more impactful in the long term
WHAT IT IS AND DOES
◆ Occurs in an ongoing manner
(OpEx investment)
◆ Helps identify licenses being used or
modified incorrectly
◆ Gives a buyer historical evidence of a
continuous process to monitor and
remediate licensing issues
WHAT IT DOES NOT DO
◆ Predict license compliance in the future
◆ Prevent misuse or developer mistakes
WHAT IT IS AND DOES
◆ Occurs at a point in time
◆ Looks for known license/security weaknesses
◆ Checks off box for compliance
◆ Gives a buyer assurances at a single point in
time
WHAT IT DOES NOT DO
◆ Evaluate how a company prevents new
licenses from being misused
◆ Predict license compliance in the future
One-time OSS audit Ongoing OSS governance program

Software
developers
Tech leadership
Management
team
Aware that OSS exists ü ü ü
Knows where to find it ü
Knows how to use it ü ü
Knows when to seek out counsel ü ü
Aware of the risks associated with OSS use ü ü ü
Knows how OSS fits into the company’s
business strategy
ü ü
Monitored as a part of IT governance ü
To limit liability, each role in the organization must be aware of roles
and responsibilities of using OSS

The move to DevSecOps involves Operations and Security as
integrated parts of each stage in the product life cycle, enabling
holistic security
Traditional DevOps
DevSecOps
Dev Sec Ops

• Capitalizes on security and
operations involvement across all
product/feature stages
• Leverages security tools and
processes
• Moves security from a stage gate to
an integrated part of the process
• Implements consistency across
delivery teams
A holistic approach embeds security and operations within all
phases of the product life cycle
DevSecOps
Plan
Create
Verify
Package
Release
& Deploy
Operate &
Monitor
Security
Training
Secure
Design
Secure
Coding
Static
Analysis
Dynamic
Analysis
Attack
Surface
Check (inc.
OSS)
Final
Review
Code
Signing
Incident
Response
Plan
Testing &
Scanning
Monitor
Logs &
Apps
Change
Mgmt.

HOW HAVE MOST MID-MARKET TECH COMPANIES HANDLED THIS TO DATE?
We see distinct differences in DevSecOps based on a company’s
strategy
✕ No holistic approach
✕ No dedicated department/staff
✕ Inconsistent application of
processes and tools
✕ Point application of security
practices (usually ineffective)
Less than 30% of companies we see have a
DevSecOps strategy across their products and platforms
INCOMPLETE/INCONSISTENT
APPROACH TO DELIVERY
✓ An end-to-end view of delivery
✓ Clearly defined metrics and
measures
✓ Buy-in from management on the
importance of and need for
consistency
✓ Continuous security monitoring and
testing
DEFINED, HOLISTIC
DELIVERY STRATEGY

Seller preparation

Most middle-market software companies have immature
or no governance processes related to OSS
◆ Performed at the end of
the SDLC
◆ High effort
◆ Low accuracy /
thoroughness
◆ Dependent on developers
◆ Difficult to maintain
◆ Not usually the source of
truth
◆ Periodic scans / audits
◆ Labor intensive
◆ Not scalable (>11 new
vulns/day)
MANUAL
REVIEWS
SPREADSHEET
INVENTORY
VULNERABILITY
DETECTION & TRACKING

• Conduct a third-party audit and risk assessment of the platform(s) for vulnerabilities, unused
components/code, and third-party code without known licenses
• Develop and execute a roadmap for comprehensive secure SDLC processes, including:
– OSS governance model
– Education of engineering team and implementation of governance processes
– Establish SDLC KPIs, measure, track, and trend
• Remediate known issues identified in audit and document progress/improvements
One year out from a transaction, sellers can take significant steps to
improve their posture and demonstrate improvement
12 MONTHS 6 MONTHS 1 MONTH

• Ensure documentation and policy is consistent with processes and adjust as necessary
• Conduct internal OSS audit if last review is more than 6 months old
• Adjust or define roadmaps as needed to reflect current state (delays/changes)
• Prepare materials/documentation/positioning for due diligence
Six months allows sellers to address some gaps but not
fundamentally alter maturity

• Produce historical update / remediation reports
• Review process documentation
• Produce change logs from full scan (if completed earlier)
• Prepare for OSS audit during diligence (such as removing unused OSS component artifacts)
• Educate key team members (including management team) on OSS posture, secure SLDC
gaps/posture, and how to discuss any potential buyer concerns
If a transaction is imminent, sellers have little time to make
adjustments but can prepare for the diligence process

Buyer sophistication

The market for tech isn’t slowing down; in the first half of 2019, TMT
is still dominating, with 42% more transactions than the second-
busiest sector
622TMT
439Industrials + Chemicals
352Business Services
282Pharma, Medical, and Biotech
225Financial Services
208Consumer
151Energy, Mining, + Utilities
77
72
60
Construction
Transportation
Leisure
Real Estate 19
15
9
US M&A SECTORS BY VOLUME, H1 2019
Agriculture
Defense

Add-on acquisitions can drive rapid growth through cross-sell,
expansion into new markets, and enable more mature functional
integrations
◆ Operating flexibility of SaaS
companies
◆ Acquiring the right products and
services is always a quicker
approach
◆ The “buy and build” strategy
CONTRIBUTING FACTORS
2016
47% 61%
2007
% OF ADD-ONS AMONG
TOTAL SOFTWARE DEAL
COUNT

Buyers are becoming more focused and sophisticated during a
transaction process
Speed is a differentiator
for buyers
Buyers have less tolerance
for unknown product risks
Buyers have high
expectations and will
demand precision pre-close

Buyers will holistically evaluate OSS in diligence
• Via West Monroe or other
third party
• Will review audit output to
help interpret findings
• Will evaluate risks /
remediation paths with
legal diligence provider
• Via Black Duck or other
third party
• Requires 1–3 weeks’
duration, plus
review/explanation time
with third parties and
buyers
• Via third-party legal
advisors
• Will review audit output to
evaluate and measure
risks
• Will advise buyer on
remediation needed, reps
& warranties needs, and
closing conditions
OSS AUDIT TECH DILIGENCE LEGAL DILIGENCE

A CAUTIONARY TALE
Diligence of a remote management and security tool company
Conducted one-time OSS audit
Licensing issues identified
◆ 100+ license concerns
◆ Most concerns related to OSS that
was redistributed on Target’s
appliances
SITUATION
◆ Line-by-line investigation and root-
cause analysis
◆ Multiple hours spent on calls with
WMP, legal counsel, Black Duck,
buyer and seller
ACTION
Root cause
◆ 80%+ of issues related to Linux
distribution source code in the code
tree
◆ Most modifications to source were
being contributed back to the OSS
community
Lessons learned
◆ Careful scoping of scans is
necessary to avoid expensive and
exhausting meetings (delayed
transaction close, fees to advisors)
◆ Source code hygiene can help
prevent issues
RESULTS

A DELAYED DEAL
Diligence of a SaaS / on-prem software company
Conducted one-time OSS audit
Licensing issues identified
◆ The Target company had improperly
modified and deployed an OSS
component within their software
package
◆ The improperly modified code had
been included in legacy distributed
versions of the product, limiting the
company’s ability to upgrade
customers to a more recent version
SITUATION
◆ Completed Black Duck audit
◆ Legal advisors conducted research
on the license’s copyright owner to
evaluate potential outcomes
◆ Identified several “best” and “worst”
case scenarios and evaluated
actions required by Target prior to
close
ACTION
Outcomes
◆ Target required to remediate issue
and execute necessary deployments
prior to close (delayed deal closing)
◆ Modified reps & warranties and
advised on explanation for future
buyers
Lessons learned
◆ Lack of OSS insight can delay a
transaction
◆ A distributed codebase can lead to
ongoing licensing concerns
RESULTS

Webinar–The State of Open Source in M&A Transactions

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Webinar–The State of Open Source in M&A Transactions

Similar to Webinar–The State of Open Source in M&A Transactions (20)

More from Synopsys Software Integrity Group

More from Synopsys Software Integrity Group (9)

Recently uploaded

Recently uploaded (20)

Webinar–The State of Open Source in M&A Transactions