Software audit for acquisition due diligence with nexB


Published on

When you consider acquiring a company, you need to know about any software licensing risks associated with open source software product and how to mitigate them.
nexB is a trusted third-party who can quickly analyze products of any size and technology to support your acquisition due diligence process. We provide a turnkey service that minimizes the impact on both Buyer and Seller while you are both very busy with other activities.
A nexB software audits provide you with a comprehensive and actionable report of software IP issues supported by a detailed software inventory at the component and file level. We can tailor the depth of analysis to fit your concerns and schedule
For more information, please visit

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Software audit for acquisition due diligence with nexB

  1. 1. Copyright © nexB Inc. Software Provenance Analysis - Acquisition Due Diligence
  2. 2. Copyright © nexB Inc. Agenda About nexB What we do Our experience Software Audit: M&A Software Audit Process Software Audit Tools Additional Information Why nexB? Contact us License Violation Risks & Recent Audit Issues Lessons Learned
  3. 3. Copyright © nexB Inc. Our business is software component management •  Current focus on open source governance and compliance •  Primary product is an enterprise system for tracking all software components in your products, •  Plus practical open source solutions for integrating software engineering systems with enterprise systems We offer •  DejaCode™- Open Data Platform for Managing Open Source •  Open Source Software Audit Services •  Open Source Scanning & Attribution Generation Tools We are •  Software provenance analysis experts •  Active open source developers & Linux Foundation members About nexB Inc. – What we do
  4. 4. Copyright © nexB Inc. About nexB Inc. – Our experience Recognized by the buyers and target companies as: •  Experts in software origin analysis •  A fair and trusted intermediary Two key reasons to engage nexB: •  Combination of automated analysis tools and our expertise to clearly define Issues and practical remediation actions •  Identification of the subset of software from the Development codebase that is actually distributed or deployed to identify potential impact of a software IP risk We have performed more than 500 software audit projects to-date •  Expertise in all software IP
  5. 5. Copyright © nexB Inc. Software Audit: M&A – Process Scope Original Code Open Source Code Commercial Code
  6. 6. Copyright © nexB Inc. Timeline Software Audit: M&A – Process
  7. 7. Copyright © nexB Inc. Scope options - depending on your schedule and priorities •  Copyleft & Commercial issues Ø  Focus only on copyleft and commercial code •  Deployed Bill of Material only Ø  Focus on what code is actually visible to a customer •  Deployed Bill of Material only with Development codebase details Ø  BOM of Development codebase components that are Deployed on the product •  Development codebase inventory Ø  Inventory of Development codebase components Ø  Details for Deployed components Ø  Summary for non-Deployed Software Audit: M&A – Process
  8. 8. Copyright © nexB Inc. Software Audit: M&A - Deliverables Specific Action items and recommended actions for resolution that can be factored into the deal terms •  Including possible exposure for older product versions •  Detailed analysis for copyleft “contamination” Checklist of commercial components as input to due diligence for contract review Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial)
  9. 9. Copyright © nexB Inc. Software Audit: M&A – Preparation Establish NDA with seller •  Two-way or three-way Scope audit effort •  Audit profile (questionnaire) •  Size of code base - # files and lines of source code •  Disclosure of known third-party and open source software •  Onsite or remote access to the code Prepare/agree quote – always fixed fee, no surprises Schedule project
  10. 10. Copyright © nexB Inc. Many targets are anxious about the process •  General level of anxiety is inversely proportional to prior M&A experience of executives •  We do some hand holding to make them feel comfortable •  Assure seller that they review all findings first so no surprises •  Explain the process and tools to the seller Software Audit: M&A – Preparation
  11. 11. Copyright © nexB Inc. Software Audit: M&A - License & Origin Analysis Analysis Activities •  Discovery: scan files for license, copyright and other origin clues •  Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”) •  Map Deployed code to Development code to: Ø  Validate that we have a complete Development codebase Ø  Filter issues based on the effective Deployed/Distributed code •  Analyze software interaction and dependency patterns for copyleft-licensed components as needed •  Additional domain-specific investigations
  12. 12. Copyright © nexB Inc. Software Audit: M&A - License & Origin Analysis Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations
  13. 13. Copyright © nexB Inc. Software Audit: M&A - Review & Report Activities •  Draft findings review with product team Ø  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit Ø  Incorporate feedback and answers from product team into the Software BOM and Report Ø  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s. •  Complete final report Ø  Second review cycle with product team Ø  Release the report Ø  Conference call with buyer to present findings
  14. 14. Copyright © nexB Inc. Software Audit: M&A - Review & Report Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project data and summary of the Action items and Responses
  15. 15. Copyright © nexB Inc. Software Audit: M&A - Software Audit Tools nexB typically uses a combination of tools for a software audit •  Our own ScanCode toolkit is the primary tool •  Other tools used as needed or as licensed by a customer (open source or commercial) Multiple layers of analysis •  Discovery: direct scan for license and copyright notices •  Identification: component matching for open source and publicly available third-party components (freeware/proprietary) •  Analysis of source code and pre-built libraries (binary) •  Interaction and dependency analysis as needed Review and validation by software experts All require expert humans to interpret the results!
  16. 16. Copyright © nexB Inc. Additional Information: Why nexB? Trusted third party •  Mitigates confidentiality concerns of a seller company •  Maintains proper segregation of information during acquisition negotiations •  Enables objective analysis with appropriate consideration of feedback from all parties
  17. 17. Copyright © nexB Inc. Additional Information: Contact us Contact person Pierre Lapointe, Customer Care Manager + 1 415 287-7643 More information
  18. 18. Copyright © nexB Inc. Additional Information: License Violation Risks source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / 
 Shareware many Java
 libraries Microsoft 
 shared source Sun
  19. 19. Copyright © nexB Inc. Additional Information: Recent Issue Examples Dependency Issue “Workarounds” License violation
  20. 20. Copyright © nexB Inc. Additional Information: Emerging Issue Examples Cloud computing and Dual Licensing Personal Devices and Application store markets
  21. 21. Copyright © nexB Inc. Additional Information: Lessons Learned Schedule is always a major issue Initiate a software audit early because •  Seller company will probably not have done this before •  Negotiation of an NDA takes longer than you expect •  Negotiation of access to artifacts and people takes longer than you think The review of findings and recommendations may require several iterations with target company •  Get answers for open issues •  Get agreement about remediation strategies •  Get agreement that report is objective and reasonable
  22. 22. Copyright © nexB Inc. Additional Information: Lessons Learned Identify the “crown jewels” and key platforms of the seller technology •  Concentrate the audit on the most important parts •  For products with multiple operating system versions, focus on the most important platforms Some issues can be specific to the open source policies of the Buyer •  For instance tolerance for certain version of open source licenses or proprietary Linux drivers varies among companies •  We apply Buyer company policies if available, •  Otherwise we apply “conservative” community standards •  Exceptional cases may require additional discussion with legal and and business teams to evaluate the risks