Technical Due Diligence for M&A: A Perspective from Corporate Development at SAP


Published on

This webinar focuses on the issues related to improper use of open source software and how this can impact M&A and other partnering opportunities. Attendees will learn techniques to uncover potential issues and the benefits of properly managing your software assets to minimize delays and risks. Russell Hartz of SAP’s Corporate Development organization discusses their strategy and perspective on the subject and how they approach this kind of technical due diligence.

Published in: Business, Technology
  • Be the first to comment

Technical Due Diligence for M&A: A Perspective from Corporate Development at SAP

  1. 1. Technical Due Diligence for M&A: A Perspective from Corporate Development at SAP<br />
  2. 2. Speakers<br />Peter Vescuso<br />EVP of Marketing & Business Development, Black Duck Software<br />Hal Hearst<br />Sr. Director, Olliance Group<br />Russell Hartz<br />Corporate Development, SAP<br />
  3. 3. Agenda<br />Market trends<br />Why technical DD is needed<br />M&A Issues<br />How it works<br />Code Scanning<br />Analysis<br />SAP: Perspective from a Major Acquirer<br />Summary<br />Note: All registered participants will receive a follow-up email with a copy of the slides and a link to the webinar recording.<br />
  4. 4. Market Trends<br />Open source is becoming pervasive and ubiquitous<br />It’s in your phone, your HD TV, your printer, your web browser, Google, Amazon, Twitter, etc.<br />Gartner reports 85% of enterprises use OSS today<br />Economics of OSS are compelling<br /><ul><li>Virtually all IT organizations now use OSS; much is ad hoc
  5. 5. 45% use is mission-critical</li></ul>Market Need – “Managing Abundance”<br /><ul><li>< 30% of customers have any OSS Policies
  6. 6. Need: address challenges of Multi-Source development:
  7. 7. Compliance/Management – IP, security, export
  8. 8. Management/Automation – policy, process, multi-source</li></ul>451 Group Survey on OSS Use (December 2009) <br /><ul><li> 87% of companies say OSS meets or exceeds cost savings expectations
  9. 9. 39% of OSS users ranked flexibility as the primary benefit</li></li></ul><li>Why Technical DD is Needed: Many Paths for Open Source to Get into a Code Base<br />Internally Developed Code<br />Outsourced Code Development<br />Cambridge<br />Commercial 3rd-Party Code<br />San Mateo<br />Code<br />Open Source Software<br />Bangalore<br /><ul><li>Individuals
  10. 10. Universities
  11. 11. Corporate Developers</li></ul>Russia<br />Your Software Application<br />Obligations<br />YOUR COMPANY – TOOLS, PROCESSES<br />“Open source is a necessary component of all organizations' supply chain strategies. It is essentially a way to manage cost and mitigate 3rd party dependencies.” Brian Prentice, Gartner Group<br />5<br />
  12. 12. Why Technical DD is Needed: Issues<br />Open Source Problems<br />Open source issues arise in the development process and software supply chain<br />Discovery of open source post open source representations<br />Anonymous: Entire source code posted on SourceForge<br />Risks<br />Lose deal<br />Delay deal<br />Reduced price/valuation<br />Lost revenue<br />
  13. 13. Why Technical DD is Needed: Issues<br />Use of open source is widespread (despite what your CTO tells you)<br />“A ‘don’t ask, don’t tell’ pact obscures the reality of OSS use” (Jeffery Hammond, Forrester Research,)<br />Major acquirers and licensees are increasingly sensitive to uncertainty in general and this issue in particular (some have separate due diligence process for open source)<br />Difficult to correct problems during merger frenzy<br />Delay may be deadly to the deal<br />
  14. 14. Open Source Licenses<br />Open source licenses give broad rights<br />Copy, modify, redistribute<br />Includes express or implied patent rights<br />But also obligations, which are triggered on distribution not on use<br />Product Risks <br />Uncertain "pedigree"<br />"AS IS“<br />Copy left nature of GPL & other licenses<br />
  15. 15. Risks of Unmanaged Code<br />Loss of Intellectual Property<br />License Rights and Restrictions<br />Software Defects<br />Export Regulations<br />Injunctions<br />Contractual Obligations<br />Security Vulnerabilities<br />Escalating Support Costs<br />
  16. 16. Software Licensing Violations<br />Software Freedom Law Center<br /><br /><ul><li>Best Buy
  17. 17. Cisco
  18. 18. Verizon
  19. 19. Monsoon Multimedia
  20. 20. Xterasys
  21. 21. High-Gain Antennas
  22. 22. Bell Microproducts
  23. 23. Super Micro Computer
  24. 24. Motorola
  25. 25. Acer
  26. 26. Skype
  27. 27. D-Link
  28. 28. BT</li></ul>Others<br /><ul><li>Jacobsen v Katzer
  29. 29. ASUS eeePC laptop
  30. 30. Diebold</li></ul>Valuation<br />Infringement<br />Remediation Costs<br />New revenue<br />Support costs<br />Vulnerability<br />
  31. 31. Technology Allows Easy Discovery of Unknown Open Source<br />Black Duck Analysis<br />Compare code in target’s code base against comprehensive KB of open source components<br />Generate a software Bill of Materials, identify license obligations and conflict analysis<br />Code Base<br />Validation Server<br />Open Source<br />Report<br />Third Party Code<br />KnowledgeBase<br />License Conflict<br />Bill ofMaterials<br />Internal Code<br />Projects Licenses<br />
  32. 32. The Black Duck KnowledgeBase:Unmatched Depth & Breadth<br /><ul><li>Comprehensive open source database</li></ul>Over 100 billion of lines of code<br />550,000 + OSS projects, all versions<br />Over 5,060 sites<br />Representing 2,000 + unique licenses<br />50,000+ security vulnerabilities<br />550+ cryptographic algorithms<br /><ul><li>Extensive metadata
  33. 33. Name, description, versions, URL
  34. 34. License, programming language, OS
  35. 35. National Vulnerability Database
  36. 36. Cryptography
  37. 37. Code prints of source/binary
  38. 38. Customer-specific/contributed
  39. 39. Addresses the “long tail” of OSS projects
  40. 40. Continuously expanded
  41. 41. Custom code printing to add your own code
  42. 42. Daily security vulnerability alerts
  43. 43. Automated metadata updates issued ~2x month</li></li></ul><li>Code Prints<br />Encoded representation of source code<br />Black Duck KnowledgeBase represented by billions of Code Prints<br />Robust Code Detection <br />Exact and fuzzy Code Print comparison <br />Statistically-based, pattern-matching <br />Extensible to Additional Code <br />Add any code to local copy of KnowledgeBase<br />Track / manage sensitive source code<br />Confidential<br />Source code and Code Prints remain local<br />Code Prints impossible to reverse engineer<br />Code Prints make it all possible<br />Many TB of code can reside on a local server<br />Efficiently searched to speed time-to-results<br />Finds the origin of code even without an audit trail<br />
  44. 44. Source Code Analysis<br />Code matching <br />Compare Code Prints of your source code to the Black Duck KnowledgeBase<br />Detects matches of components, files and code fragments<br />Finds reused code even when altered<br />Reports project / license for confirmation<br />Language independent<br />Dependency analysis<br />Import/include statements<br />Integrated string search<br />Standard string search queries<br />Custom strings<br />Find licenses, copyrights, URL’s, company names, user comments (“taken from”), …<br />Analysis results that are unachievable by a manual process<br />
  45. 45. Binary Code Analysis<br />File matching<br />Compares checksum value to the KnowledgeBase<br />Libraries, class files, executables, archives, images, and more.<br />Dependency analysis<br />Detect dependencies embedded in JAR, CLASS, DLL, SO, etc, …<br />Archives and Compressed Files<br />Descends into archive files (zip, jar, tar, war, …)<br />Recursively performs source and binary analysis.<br />-MD5-<br />The Black Duck KnowledgeBase simplifies binary file identification<br />
  46. 46. License Analytics<br />Over 2,000 open source and other licenses<br />With full license text<br />Licenses organized according to 24 attributes<br />Rights and obligations to simplify license review<br />Display of license conflicts<br />Automated approval process<br />Obligation fulfillment checklist<br />Add custom licenses<br />Speed license reviews and make better choices, earlier in the development process<br />
  47. 47. Remediation<br />Code Audit may reveal issues that need remediation<br />Remediation can be done…<br />Pre-acquisition as a condition of the sale<br />Post-acquisition as part of the integration<br />Primary Concern during Due-Diligence Phase<br />Does the remediation impact valuation?<br />What is cost & effort?<br />Who should do it?<br />When is it done?<br />How much risk is Acquirer taking?<br />Remediation options will depend upon OSS detected (license)<br />
  48. 48. What are the Remedies?<br />Conform to the License<br />Verify Compliance to License Obligations<br />Check for File Modifications <br />Confirm file level obligations are met<br />Copyright statements retained<br />Modification notices in place<br />License Text in place<br />Publish / distribute software if necessary<br />Update documentation/splash screens if necessary<br />And a host of others depending upon the license<br />Implement Changes<br />Typically done during Integration (post sale)<br />Change Usage<br />Some obligations depend upon usage scenario<br />Re-architect so usage of component is less integrated<br />Comply with more desirable license terms<br />
  49. 49. What are the Remedies? - Cont.<br />Remove Offending Code<br />Black Duck Service can detect “Fossils”<br />Verify code can be safely removed with no impact<br />Typically forced on Sellers<br />Replace Code<br />Replace with other OSS<br />Replace with Commercial Alternative<br />Replace with In-house developed Code<br />Need Clean Room Environment?<br />Can be difficult if OSS component is critical<br />Can be lengthy and expensive<br />
  50. 50. SAP Profile<br />The SAP Solution Portfolio<br />Improves Business Insight<br />Drives Business Efficiency<br />Enables Flexibility & Innovation<br />Major acquirer: 20+ acquisitions since 2007 valued at >$13 billion<br /><ul><li>Black Duck code scans in 15 closed deals since 2007 with total value >$7.5 billion
  51. 51. > 2,000 OS components identified in target solutions</li></ul>Ecosystem<br />Services and Support<br />Optimize Performance and Balance RiskSAP BusinessObjects<br />Implement Flexible Business Processes<br />SAP Business SuiteSAP Solutions for SME<br />SAP NetWeaver<br />
  52. 52. SAP’s Experience with Evolution of Target’s Response to Open Source Due Diligence<br />Past: Skepticism<br />Present: Industry Standard<br />Why is SAP performing OS diligence?<br />Open source due diligence is expected<br />Many questions about process / NDA heavily negotiated<br />Few process questions / little negotiation of NDA<br />Require code scan to be performed on site<br />Allow remote code scan<br />
  53. 53. SAP – M&A Due Diligence on Open Source<br />SAP asks targets (typically prior to signing a term sheet):<br />Provide a list of all open source in use <br />Do you have a policy regarding open source use?<br />Do you have a governance process to monitor & control the use of open source in your products?<br />Following execution of a non-binding term sheet, SAP engages Black Duck to scan the target’s code for open source.<br />Scan results are evaluated by SAP’s open source licensing and legal groups prior to finalizing transaction<br />
  54. 54. SAP M&A Open Source Evaluation Process<br />Evaluate and categorize risk of open source components used in target’s products<br />High risk components must be removed prior to SAP’s shipment of product post-closing <br />Non-high risk components are dealt with following closing as part of SAP’s standard open source governance process<br />SAP may terminate a transaction evaluation due to the amount of open source found in the target’s code and/or the cost of remediating high risk components<br />
  55. 55. SAP Open Source Governance Process<br />Open source <br />request form<br />Architecture Check<br />Legal &IP Evaluation<br />Applicant<br /> Briefing<br />Management<br /> Approval<br />General License Evaluation<br />Modifications<br />Special Requirements<br />IP Evaluation<br /><ul><li>Warranties / liabilities
  56. 56. Support offerings
  57. 57. General license grant
  58. 58. Export restrictions
  59. 59. Does the license allow for modifications?
  60. 60. What terms apply to modifications?
  61. 61. Required text for documentation
  62. 62. Copyright notices
  63. 63. Distribution pre-requisites in general
  64. 64. Product’s characteristics
  65. 65. Contribution policy
  66. 66. Companies supporting and using the open source product</li></li></ul><li>Summary<br />Open source is pervasive and ubiquitous<br />Checking for open source has become an industry best practice in M&A involving software assets<br />Be Pro-active:<br />Run code scan to accurately identify the open source components used in the your code<br />Create an explicit policy for using open source<br />Regularly audit compliance (can be automated)<br />