This document provides an overview of a software audit process conducted by nexB for acquisition due diligence. It discusses nexB's experience and services, common license violation risks found in audits, the audit process including preparation, analysis, review and reporting, tools used, reasons to choose nexB, and lessons learned from past acquisitions.

1. nexB - Software Audit for
Acquisition Due Diligence
© 2014 nexB Inc.

2. © 2014 nexB Inc.
Agenda
• About nexB
– What nexB does
– Our experience
• Software Audit: M&A
– License Violation Risks & Recent Audit Issues
– Software Audit Process
– Software Audit Tools
• Additional Information
– Why nexB?
– Contact us
– Lessons Learned

3. © 2014 nexB Inc.
What nexB does
• Enable component-based
software development
– Software provenance
analysis services
– Software asset management
tools
• Software audit services
– Acquisitions
– Software product
releases
• Active OSS developers
• Expertise in all software IP
About nexB

4. © 2014 nexB Inc.
Our experience is our difference
• Recognized by the buyers and target companies as:
– experts in software origin analysis
– a fair and trusted intermediary
• We identifies issues along with practical remediation steps
• 350+ software audit projects completed to-date
About nexB

5. © 2014 nexB Inc.
License Violation Risks
Software audit: M&A
source code
available
source with
limitations
(Proprietary)
Copyleft
FOSS
Attribution
Binary-only
(Proprietary)
Free
Software
Freeware /
Shareware
many Java
libraries
Microsoft
shared source
Sun
SCSL
GNU GPL
GNU LGPL
MPL
CDDL
BSD
MIT
Apache
EPL
Adobe
Reader

6. © 2014 nexB Inc.
Recent Audit Issue Examples
• Dependency Issue “Workarounds”
• License violation
Software audit: M&A

7. © 2014 nexB Inc.
Emerging Audit Issue Examples
• Cloud computing and Dual Licensing
• Personal Devices and Application store markets
Software audit: M&A

8. © 2014 nexB Inc.
Software Audit Process
Software audit: M&A

9. © 2014 nexB Inc.
Software Analysis Scope
Software audit: M&A
Original
Code
Open Source Code
Commercial
Code

10. © 2014 nexB Inc.
Software Analysis Deliverables
• Complete inventory of OSS and third-party components in
Development codebase(s)
• Bill of materials for Deployed product components
• Specific Action items and recommended actions for
resolution that can be factored into the deal terms
– Including possible exposure for older product versions
– Detailed analysis for copyleft “contamination”
• Checklist of commercial components as input to due
diligence for contract review
• Analysis of how much code is original versus borrowed
(OSS) or purchased (Commercial)
Software audit: M&A

11. © 2014 nexB Inc.
Preparation – 1 week (1/2)
• Establish NDA with seller
– Two-way or three-way
• Scope audit effort
– Audit profile (questionnaire)
– Size of code base - # files and lines of source code
– Disclosure of known third-party and open source software
– Onsite or remote access to the code
• Prepare/agree quote – always fixed fee, no surprises
• Schedule project
Software audit: M&A

12. © 2014 nexB Inc.
Preparation (2/2)
è Many targets are anxious about the process
– General level of anxiety is inversely proportional to prior M&A
experience of executives
– We do some hand holding to make them feel comfortable
– Assure seller that they review all findings first so no surprises
– Explain the process and tools to the seller
Software audit: M&A

13. © 2014 nexB Inc.
License & Origin Analysis – 2 weeks (1/2)
Analysis Activities
• Scan files for license, copyright and other origin clues
• Match target code to reference code repository for origin and license
detection (based on digital “fingerprints”)
• Map Deployed code to Development code to:
– Validate that we have a complete Development codebase
– Filter issues based on the effective Deployed/Distributed code
• Analyze software interaction and dependency patterns for copyleft-
licensed components as needed
• Additional domain-specific investigations typically for embedded
devices and applications of media codecs
Software audit: M&A

14. © 2014 nexB Inc.
License & Origin Analysis (2/2)
Results
• Software Inventory and Bill(s) of Materials
• Draft Action items & recommendations
Software audit: M&A

15. © 2014 nexB Inc.
Review & Report – 1 week (1/2)
Activities
• Draft findings review with product team
– Ask product team to respond to each Action item
• Accept recommended solution or propose another approach
• Acknowledge & investigate
• Not a request to fix anything during the audit
– Incorporate feedback and answers from product team into the
Software BOM and Report
– We may “agree to disagree” – e.g. we then present two points of
view: ours and the seller’s.
• Complete final report
– Second review cycle with product team
– Release the report
– Conference call with buyer to present findings & answer questions
Software audit: M&A

16. © 2014 nexB Inc.
Review & Report (2/2)
Results
• Final Software Inventory / BOM spreadsheets
• Final Report - narrative with executive summary, project
data and summary of the Action items and Responses
Software audit: M&A

17. © 2014 nexB Inc.
Software Audit Tools
• nexB typically uses a combination of tools for a software
audit
– Our own DejaCode™ toolkit is the primary tool
– Other tools used as needed or as licensed by a customer (open
source or commercial)
• Multiple layers of analysis
– Direct scan for license and copyright notices
– Component matching for open source and publicly available third-
party components (freeware/proprietary)
– Analysis of source code and pre-built libraries (binary)
– Interaction and dependency analysis as needed
• Review and validation by software experts
• All require expert humans to interpret the results!
Software audit: M&A

18. © 2014 nexB Inc.
Why nexB (1/2)
100% of our customers
are repeat customers
and references
We have a balanced approach
– Automated code analysis AND analysis by software experts
– Direct consultation with engineering, management and legal teams
– Concrete Action items with recommended nexB action resolution
and seller Responses
Additional Information

19. © 2014 nexB Inc.
Why nexB (2/2)
• Trusted third party
– Mitigates confidentiality concerns of a seller company
– Maintains proper segregation of information during acquisition
negotiations
– Enables objective analysis with appropriate consideration of
feedback from all parties
Additional Information

20. © 2014 nexB Inc.
Contact us
Contact person:
Pierre Lapointe, Customer Care Manager
plapointe@nexb.com
+ 1 415 287-7643
More information:
http://www.nexb.com/
Additional Information

21. © 2014 nexB Inc.
Lessons Learned – Acquisitions (1/2)
• Schedule is always a major issue
• Initiate a software audit early because
– Seller company will probably not have done this before
– Negotiation of an NDA takes longer than you expect
– Negotiation of access to artifacts and people takes longer than you
think
• The review of findings and recommendations may require
several iterations with target company
– Get answers for open issues
– Get agreement about remediation strategies
– Get agreement that report is objective and reasonable
Additional Information

22. © 2014 nexB Inc.
Lessons Learned – Acquisitions (2/2)
• Identify the “crown jewels” and key platforms of the seller
technology
– Concentrate the audit on the most important parts
– For products with multiple operating system versions, focus on the
most important platforms
• Some issues can be specific to the open source policies of
the Buyer
– For instance tolerance for certain version of open source licenses
or proprietary Linux drivers varies among companies
– We apply Buyer company policies if available,
– Otherwise we apply “conservative” community standards
– Exceptional cases may require additional discussion with legal and
and business teams to evaluate the risks
Additional Information