SlideShare a Scribd company logo

Venture Capitalists Tech Investment Hidden Risks

Source Code Control Limited
Source Code Control Limited

The document discusses the importance of conducting thorough due diligence, including independent source code reviews, when venture capitalists and private equity firms invest in technology startups. It notes that source code reviews are crucial for identifying risks related to intellectual property, security, licensing, and software quality. The review process involves analyzing the source code to evaluate its structure, components from other sources, and adherence to the company's standards. This helps investors assess the overall quality and viability of the technology as well as the company seeking investment.

Software
1 of 6
Download to read offline
Venture Capitalists Tech Investment Hidden Risks 2015 WHAT SHOULD BE INCLUDED IN THE DUE DILLEGENCE PROCESS MARTIN CALLINAN SOURCE CODE CONTROL LIMITED | 149-151 Mortimer Street, Herne Bay, Kent, CT6 5HA
Venture Capital and Private Equity in the Tech Sector The rapid pace of innovation in the Technology sector is attracting both venture capital and private equity investment into UK companies and the bulk of that investment is in London based organisations. Q1 of 2015 saw London technology smash previous funding records. The amount raised by London companies comprises 80% of all UK companies with a value of $856.7m. With the technology sector being so buoyant investors inundated with dealflow. This is driving how investors exercise risk assessments. Early stage investors would be review a few good companies each week. With such a competitive landscape the challenge for technology entrepreneurs is getting the attention of investors. Key to this is clearly presenting the company’s strategy. A solid business plan is important but if the overall strategy is weak then there is unlikely to be investment in the organisation. Risk versus Reward There are good reasons why VCs are cautious with their investment money. Generally they are taking enormous risks on untested ventures which they hope will eventually transform into the next big thing. With mature organisations, the process of establishing value and being a sound investment if reasonably straightforward as there is a track record of sales, profits and cash flow with early stage ventures VCs will delve deeper into the business, the opportunity and the underlying technology behind the business. The key considerations by late round investors will be:  Management – Who is the team behind the organisation and what is their track record?  Size of market – Demonstrating the target market opportunity which will indicate the returns investors might expect from any investment.  Great Product – Investors want to invest in great products with a completive edge that are long lasting and sustainable.  What is the current revenue status of the early stage company? Are they generating sales and future pipeline prior to any investment.  What are the risks – VCs are taking on risk and their skill as investors is understanding all risks and making fully informed decisions for a successful outcome. The two main areas VCs will focus. The entrepreneur needs to understand that not all money is the same and not all funding sources are equal. The entrepreneur must carefully consider the implications which may follow from the investor and other requirements of various financing sources. Some examples:  Board member status for investor a requirement.  Require the employment of advisors.  Require the creation of an advisory board.  Investor invests and observes but does not play an active role.
Business Risk The business risk an investors look at will depend on whether it is an early stage investment or a late round investment. The skills of early stage investment funds is being able to identify the potential of a technology even if today they the product is not right or needs significant evolution to become successful. This way an early stage investor is able to maximise their return while minimising their initial investment. Outside of the technology early stage investors would view the current revenue status of the early stage company to decide which investment fund(s) if any the company would fit into. Late round investors would by nature of the investment would seek clarity in the company’s business plan which would include:  Is this the right product for today and the future?  Is there enough money in the fund to fully meet the opportunity?  Is there an eventual exit from the investment, a chance to see a return?  Regulatory or legal risks Technology Risk Following from the strategy review will be a technology review. Typically the focus will be on the ability of both the software and the development to team to deliver on the products roadmap in line with the investor’s timelines. There will be a detailed review of the software architecture, code quality, software engineering quality, scalability and robustness. If the company is a software start-up an expected pre-requisite that software development leverages open source software. There may well be a valid reasons why a start-up would be use open source software but in the due diligence of a dealflow the start-up would need a clear and strong justification as to why open source software has not been used. The reality is that many young companies do not understand the value of intellectual property and risks that can be engineered into software applications. The types of risks that investors will look for are:  Software architecture, scalability and extensibility  Exposure to third-party platforms  Intellectual property value – an objective view of the software’s unique value in the market  Intellectual Property and patent evaluation – are there any patent infringements?  Third party dependencies  Open source software risk exposure To identify these technology risks typically a third party specialist will be contracted to perform a source code review. This code review can either be initiated by the technology organisation prior to seeking investment, by the VC or Private Equity Organisation as part of the due diligence process or both. If the organisation goes into a funding exercise without visibility of the quality of their code and associated risks there is a good chance the investors will view the investment as risky regardless of the functionality of the technology in question
Why Due Diligence Should Include an Independent Source Code Review? Apart from identifying current issues in the source code such as licensing irregularities, problematic IP or potential security vulnerabilities in software components which typically can be remediated, reviewing the source code could identify inefficiencies or flaws in the development process. It could identify the need to have a proper code inspection process during the development cycle, thus eliminating the issues earlier. It may be appropriate to create an open source software adoption process with proper tooling can help lower your costs of compliance, not to mention minimising disruptions during key transactions. Similar to bugs in software is far more efficient and cost effective to catch issues early. Before discussing Source Code Reviews it is important we are clear what we mean by Source Code. What is Source Code? Source code is a set of programming language statements and commands a software developer creates that becomes part or all of the applications that a use, website or device runs. There are a plethora of languages used by developers such as C, C++, C#, Java or scripting languages such as JavaScript, PERL, Python, PHP. The Source Code is compiled into an executable which the target device will execute. What is a Source Code Review or Audit? A Source Code review or audit should be performed by an independent third party specialist in this area of expertise. If you are a VC or private equity firm it is unlikely that you would have these skills in house. If you are a software company seeking investment it is likely you would have somebody in house who would have the skills needed to perform the review however they may not be able to produce a reliable and objective report. Why is a Source Code Review Imperative? Developers today rarely code a complete application from scratch. Applications are made up of components of code from a variety of sources which are stitched together to create the finished application. This makes for very dynamic and agile development but with it there are a number of inherent risks. Each component will have a number of attributes such as how it is licensed and its version. Outside of the function of the application(s) investors need to have details of the make-up and provenance of the code components in the following areas:  Intellectual property and licensing  Security of the software  How will the software be maintained and supported  The capabilities and maturity of the components being used  Ability to integrate with other applications  Quality of the components that make up the application  Innovation – Can the application be evolved over time  Viability of the open source community around the components being used Fundamentally it boils down to assessing the overall quality and consistency of the source code. The source code is an indicator of the quality of the organisation seeking investment. Software
development is a creative exercise and developers should be allowed to express the personal style and approach but in line with the organisations standards which all developers should follow. What is the Process for a Source Code Audit  First an NDA must be in place between the reviewer and the organisation  Once the NDA is in place the reviewer will question key stakeholders in the organisations to ensure there is a clear understanding of the reasoning behind the audit and the organisation’s environment such as the size of the portfolio, languages and tools in use particularly any automatic code generators.  A Statement of Work then produced and agreed. This will include: a. A breakdown of Software Portfolio into audit segments b. Full automated source code scanning, analysis and reporting c. Resolve copyrights, standard headers and author tags discovered in the portfolio d. Analyse, verify modules and issue regular audit progress reports e. Quality review and sign off of licensing and copyright attributes of every software file in Software Portfolio f. Delivery of audit report(s), review of the reports  The report will be reviewed and signed off by the organisations management Once signed of the final reports will be completed and delivered to the organisation. The reports will include:  Audit Report: A high level executive report, containing high level information and graphic representation of licences, copyrights, OSS projects, security vulnerabilities and encryption content within Software Portfolio. Source Code Control Audit report is delivered in pdf format.  Overview Report and Detailed file-by-file Reports: verified machine-generated reports on Software Portfolio. Overview Report shall be delivered in pdf format. Detailed file-by-file Report shall be delivered in in CSV (readable by Microsoft Excel application) format.  Concatenated Licence List report: containing a consolidated text of all available licences within Software Portfolio in pdf format.  Security Vulnerability Report: A cross reference of all security vulnerability information as reported by the National Vulnerability Database in pdf format.  Encryption Report: list of OSS projects detected in the portfolio that could be subject to export control, in pdf format.
Conclusion Whether you are a technology organisation seeking investment or a venture capital/private equity organisation investing in technology organisations there is a typical process of due diligence reviewing business strategy, business risk, technology risk, technical architecture and source code risk. It is imperative that there is transparency of the make-up of the underlying source code related to the technology. Any undeclared risks in the code could potentially devalue a return on investment. A code audit should not be a one off exercise but should be part of all stages of the development process. The end result will be quality code, secure code and licence compliant code.

Recommended

SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
South Tyrol Free Software Conference
 
Emerging Market Investment Risks
Emerging Market Investment Risks Emerging Market Investment Risks
Emerging Market Investment Risks
Vineetha Menon
 
Finance & investment risks
Finance & investment risksFinance & investment risks
Finance & investment risks
Finance & Investment Risks
 
2B - Business IT Investment Risks - Richard Moulds
2B - Business IT Investment Risks - Richard Moulds2B - Business IT Investment Risks - Richard Moulds
2B - Business IT Investment Risks - Richard Moulds
CFG
 
Outsourcing product development introduction
Outsourcing product development introductionOutsourcing product development introduction
Outsourcing product development introduction
suryauk
 
Outsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseOutsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business Case
Altoros
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 

Recommended

SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
SFScon21 - Cédric Thomas - The OW2 Market Readiness Levels method. A tool for...
South Tyrol Free Software Conference
 
Emerging Market Investment Risks
Emerging Market Investment Risks Emerging Market Investment Risks
Emerging Market Investment Risks
Vineetha Menon
 
Finance & investment risks
Finance & investment risksFinance & investment risks
Finance & investment risks
Finance & Investment Risks
 
2B - Business IT Investment Risks - Richard Moulds
2B - Business IT Investment Risks - Richard Moulds2B - Business IT Investment Risks - Richard Moulds
2B - Business IT Investment Risks - Richard Moulds
CFG
 
Outsourcing product development introduction
Outsourcing product development introductionOutsourcing product development introduction
Outsourcing product development introduction
suryauk
 
Outsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseOutsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business Case
Altoros
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
JamesEddie2
 
The Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are DescribedThe Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are Described
BMN Infotech
 
Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015
Rohana K Amarakoon
 
Aumento ventures
Aumento venturesAumento ventures
Aumento ventures
Aarthee Janar
 
Venture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 RoydeanVenture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 Roydean
Roydean Osman
 
United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)
digitalrating
 
System Design and Analysis 2
System Design and Analysis 2System Design and Analysis 2
System Design and Analysis 2
Boeun Tim
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
Prabir Kr Sarkar
 
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdfTechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
XIAOZEJIN1
 
Software Outsourcing
Software OutsourcingSoftware Outsourcing
Software Outsourcing
Tanvir Hossen
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
Source Code Control Limited
 
How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?
101 Blockchains
 
What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)
Chris Hote
 
DAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch KeynoteDAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch Keynote
Jason Newport
 
Steps to set up a project
Steps to set up a projectSteps to set up a project
Steps to set up a project
Apoorva Sawlani
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
FINOS
 
9 Proven-Strategies
9 Proven-Strategies9 Proven-Strategies
9 Proven-Strategies
Iron Mountain
 
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPSDELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
Techahead Software
 
Top Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting ComTop Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting Com
Mindfire LLC
 
5
55
5
AuliaNurFadhly
 
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINALOpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
Source Code Control Limited
 
Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?
Source Code Control Limited
 

More Related Content

Similar to Venture Capitalists Tech Investment Hidden Risks

Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
JamesEddie2
 
The Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are DescribedThe Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are Described
BMN Infotech
 
Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015
Rohana K Amarakoon
 
Aumento ventures
Aumento venturesAumento ventures
Aumento ventures
Aarthee Janar
 
Venture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 RoydeanVenture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 Roydean
Roydean Osman
 
United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)
digitalrating
 
System Design and Analysis 2
System Design and Analysis 2System Design and Analysis 2
System Design and Analysis 2
Boeun Tim
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
Prabir Kr Sarkar
 
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdfTechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
XIAOZEJIN1
 
Software Outsourcing
Software OutsourcingSoftware Outsourcing
Software Outsourcing
Tanvir Hossen
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
Source Code Control Limited
 
How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?
101 Blockchains
 
What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)
Chris Hote
 
DAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch KeynoteDAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch Keynote
Jason Newport
 
Steps to set up a project
Steps to set up a projectSteps to set up a project
Steps to set up a project
Apoorva Sawlani
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
FINOS
 
9 Proven-Strategies
9 Proven-Strategies9 Proven-Strategies
9 Proven-Strategies
Iron Mountain
 
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPSDELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
Techahead Software
 
Top Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting ComTop Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting Com
Mindfire LLC
 
5
55
5
AuliaNurFadhly
 

Similar to Venture Capitalists Tech Investment Hidden Risks (20)

Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
 
The Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are DescribedThe Software Development Life Cycle’s Five Stages Are Described
The Software Development Life Cycle’s Five Stages Are Described
 
Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015
 
Aumento ventures
Aumento venturesAumento ventures
Aumento ventures
 
Venture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 RoydeanVenture Clinic 29 30 Apr2008 Roydean
Venture Clinic 29 30 Apr2008 Roydean
 
United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)United Traders – investment attractiveness report (Digital Rating Agency)
United Traders – investment attractiveness report (Digital Rating Agency)
 
System Design and Analysis 2
System Design and Analysis 2System Design and Analysis 2
System Design and Analysis 2
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
 
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdfTechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
TechnicalDebtandOpenSourceDevelopment_Whitepaper_062220.pdf
 
Software Outsourcing
Software OutsourcingSoftware Outsourcing
Software Outsourcing
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?How to Kickstart Career in DeFi?
How to Kickstart Career in DeFi?
 
What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)What to prepare before engaging with an offshore team (footnotes included)
What to prepare before engaging with an offshore team (footnotes included)
 
DAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch KeynoteDAN Brand Accelerator: Client Pitch Keynote
DAN Brand Accelerator: Client Pitch Keynote
 
Steps to set up a project
Steps to set up a projectSteps to set up a project
Steps to set up a project
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
 
9 Proven-Strategies
9 Proven-Strategies9 Proven-Strategies
9 Proven-Strategies
 
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPSDELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
DELIVER QUALITY SOFTWARE PRODUCTS BY FOLLOWING SIMPLE STEPS
 
Top Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting ComTop Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting Com
 
5
55
5
 

More from Source Code Control Limited

OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINALOpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
Source Code Control Limited
 
Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?
Source Code Control Limited
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
Source Code Control Limited
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
Source Code Control Limited
 
e-HealthWhitepaper
e-HealthWhitepapere-HealthWhitepaper
e-HealthWhitepaper
Source Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Source Code Control Limited
 

More from Source Code Control Limited (6)

OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINALOpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
 
Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
e-HealthWhitepaper
e-HealthWhitepapere-HealthWhitepaper
e-HealthWhitepaper
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 

Recently uploaded

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 

Recently uploaded (20)

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 

Venture Capitalists Tech Investment Hidden Risks

  • 1. Venture Capitalists Tech Investment Hidden Risks 2015 WHAT SHOULD BE INCLUDED IN THE DUE DILLEGENCE PROCESS MARTIN CALLINAN SOURCE CODE CONTROL LIMITED | 149-151 Mortimer Street, Herne Bay, Kent, CT6 5HA
  • 2. Venture Capital and Private Equity in the Tech Sector The rapid pace of innovation in the Technology sector is attracting both venture capital and private equity investment into UK companies and the bulk of that investment is in London based organisations. Q1 of 2015 saw London technology smash previous funding records. The amount raised by London companies comprises 80% of all UK companies with a value of $856.7m. With the technology sector being so buoyant investors inundated with dealflow. This is driving how investors exercise risk assessments. Early stage investors would be review a few good companies each week. With such a competitive landscape the challenge for technology entrepreneurs is getting the attention of investors. Key to this is clearly presenting the company’s strategy. A solid business plan is important but if the overall strategy is weak then there is unlikely to be investment in the organisation. Risk versus Reward There are good reasons why VCs are cautious with their investment money. Generally they are taking enormous risks on untested ventures which they hope will eventually transform into the next big thing. With mature organisations, the process of establishing value and being a sound investment if reasonably straightforward as there is a track record of sales, profits and cash flow with early stage ventures VCs will delve deeper into the business, the opportunity and the underlying technology behind the business. The key considerations by late round investors will be:  Management – Who is the team behind the organisation and what is their track record?  Size of market – Demonstrating the target market opportunity which will indicate the returns investors might expect from any investment.  Great Product – Investors want to invest in great products with a completive edge that are long lasting and sustainable.  What is the current revenue status of the early stage company? Are they generating sales and future pipeline prior to any investment.  What are the risks – VCs are taking on risk and their skill as investors is understanding all risks and making fully informed decisions for a successful outcome. The two main areas VCs will focus. The entrepreneur needs to understand that not all money is the same and not all funding sources are equal. The entrepreneur must carefully consider the implications which may follow from the investor and other requirements of various financing sources. Some examples:  Board member status for investor a requirement.  Require the employment of advisors.  Require the creation of an advisory board.  Investor invests and observes but does not play an active role.
  • 3. Business Risk The business risk an investors look at will depend on whether it is an early stage investment or a late round investment. The skills of early stage investment funds is being able to identify the potential of a technology even if today they the product is not right or needs significant evolution to become successful. This way an early stage investor is able to maximise their return while minimising their initial investment. Outside of the technology early stage investors would view the current revenue status of the early stage company to decide which investment fund(s) if any the company would fit into. Late round investors would by nature of the investment would seek clarity in the company’s business plan which would include:  Is this the right product for today and the future?  Is there enough money in the fund to fully meet the opportunity?  Is there an eventual exit from the investment, a chance to see a return?  Regulatory or legal risks Technology Risk Following from the strategy review will be a technology review. Typically the focus will be on the ability of both the software and the development to team to deliver on the products roadmap in line with the investor’s timelines. There will be a detailed review of the software architecture, code quality, software engineering quality, scalability and robustness. If the company is a software start-up an expected pre-requisite that software development leverages open source software. There may well be a valid reasons why a start-up would be use open source software but in the due diligence of a dealflow the start-up would need a clear and strong justification as to why open source software has not been used. The reality is that many young companies do not understand the value of intellectual property and risks that can be engineered into software applications. The types of risks that investors will look for are:  Software architecture, scalability and extensibility  Exposure to third-party platforms  Intellectual property value – an objective view of the software’s unique value in the market  Intellectual Property and patent evaluation – are there any patent infringements?  Third party dependencies  Open source software risk exposure To identify these technology risks typically a third party specialist will be contracted to perform a source code review. This code review can either be initiated by the technology organisation prior to seeking investment, by the VC or Private Equity Organisation as part of the due diligence process or both. If the organisation goes into a funding exercise without visibility of the quality of their code and associated risks there is a good chance the investors will view the investment as risky regardless of the functionality of the technology in question
  • 4. Why Due Diligence Should Include an Independent Source Code Review? Apart from identifying current issues in the source code such as licensing irregularities, problematic IP or potential security vulnerabilities in software components which typically can be remediated, reviewing the source code could identify inefficiencies or flaws in the development process. It could identify the need to have a proper code inspection process during the development cycle, thus eliminating the issues earlier. It may be appropriate to create an open source software adoption process with proper tooling can help lower your costs of compliance, not to mention minimising disruptions during key transactions. Similar to bugs in software is far more efficient and cost effective to catch issues early. Before discussing Source Code Reviews it is important we are clear what we mean by Source Code. What is Source Code? Source code is a set of programming language statements and commands a software developer creates that becomes part or all of the applications that a use, website or device runs. There are a plethora of languages used by developers such as C, C++, C#, Java or scripting languages such as JavaScript, PERL, Python, PHP. The Source Code is compiled into an executable which the target device will execute. What is a Source Code Review or Audit? A Source Code review or audit should be performed by an independent third party specialist in this area of expertise. If you are a VC or private equity firm it is unlikely that you would have these skills in house. If you are a software company seeking investment it is likely you would have somebody in house who would have the skills needed to perform the review however they may not be able to produce a reliable and objective report. Why is a Source Code Review Imperative? Developers today rarely code a complete application from scratch. Applications are made up of components of code from a variety of sources which are stitched together to create the finished application. This makes for very dynamic and agile development but with it there are a number of inherent risks. Each component will have a number of attributes such as how it is licensed and its version. Outside of the function of the application(s) investors need to have details of the make-up and provenance of the code components in the following areas:  Intellectual property and licensing  Security of the software  How will the software be maintained and supported  The capabilities and maturity of the components being used  Ability to integrate with other applications  Quality of the components that make up the application  Innovation – Can the application be evolved over time  Viability of the open source community around the components being used Fundamentally it boils down to assessing the overall quality and consistency of the source code. The source code is an indicator of the quality of the organisation seeking investment. Software
  • 5. development is a creative exercise and developers should be allowed to express the personal style and approach but in line with the organisations standards which all developers should follow. What is the Process for a Source Code Audit  First an NDA must be in place between the reviewer and the organisation  Once the NDA is in place the reviewer will question key stakeholders in the organisations to ensure there is a clear understanding of the reasoning behind the audit and the organisation’s environment such as the size of the portfolio, languages and tools in use particularly any automatic code generators.  A Statement of Work then produced and agreed. This will include: a. A breakdown of Software Portfolio into audit segments b. Full automated source code scanning, analysis and reporting c. Resolve copyrights, standard headers and author tags discovered in the portfolio d. Analyse, verify modules and issue regular audit progress reports e. Quality review and sign off of licensing and copyright attributes of every software file in Software Portfolio f. Delivery of audit report(s), review of the reports  The report will be reviewed and signed off by the organisations management Once signed of the final reports will be completed and delivered to the organisation. The reports will include:  Audit Report: A high level executive report, containing high level information and graphic representation of licences, copyrights, OSS projects, security vulnerabilities and encryption content within Software Portfolio. Source Code Control Audit report is delivered in pdf format.  Overview Report and Detailed file-by-file Reports: verified machine-generated reports on Software Portfolio. Overview Report shall be delivered in pdf format. Detailed file-by-file Report shall be delivered in in CSV (readable by Microsoft Excel application) format.  Concatenated Licence List report: containing a consolidated text of all available licences within Software Portfolio in pdf format.  Security Vulnerability Report: A cross reference of all security vulnerability information as reported by the National Vulnerability Database in pdf format.  Encryption Report: list of OSS projects detected in the portfolio that could be subject to export control, in pdf format.
  • 6. Conclusion Whether you are a technology organisation seeking investment or a venture capital/private equity organisation investing in technology organisations there is a typical process of due diligence reviewing business strategy, business risk, technology risk, technical architecture and source code risk. It is imperative that there is transparency of the make-up of the underlying source code related to the technology. Any undeclared risks in the code could potentially devalue a return on investment. A code audit should not be a one off exercise but should be part of all stages of the development process. The end result will be quality code, secure code and licence compliant code.