Upload
nexb-inc
View
1.668
Download
3
Embed Size (px)
DESCRIPTION
nexB provides products and services for software component management and license compliance. We have unique expertise in complex embedded devices and large server-based or appliance-based software products. We help companies determining what is in their software or in software provided by their suppliers. For more information, please visit www.nexb.com.
Citation preview
nexB - Software Audit for Acquisition Due Diligence
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Agenda • About nexB
– What nexB does – Our experience
• Software Audit: M&A – License Violation Risks & Recent Audit Issues – Software Audit Process – Software Audit Tools
• Additional Information – Why nexB? – Contact us – Lessons Learned
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
What nexB does • Enable component-based
software development – Software provenance (origin
and license) analysis services
– Software asset management tools
• Software audit services – Acquisitions – Software product
releases – Internal (IT) systems
• Active open source developers – Lead committers – Contributors to OS projects
• Expertise in software IP – All modern languages and
environments – Embedded systems specialist
About nexB
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Our experience is our difference • nexB has been recognized by the buyers and target
companies as: – experts in software origin analysis – a fair and trusted intermediary
• nexB identifies issues along with practical remediation steps: – Making sense for business and legal teams – Actionable by the product teams
• 300+ software audit projects completed to-date – For due diligence prior to product releases, product licensing or
M&A – Aggregated value of the acquisitions transactions > $5B – Aggregated audited codebase > 3 billion lines of source code
About nexB
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
License Violation Risks • Violation of open source software license obligations
– “Copyleft” licenses (L/GPL, etc.) may force you to release proprietary software as open source or rewrite the software
– Even “business-friendly” licenses (Apache, etc.) require you to identify and protect copyright owner rights and may impact your patent portfolio
– Negative reaction from OSS community may impair your brand • Violation of third-party proprietary or
commercial software license obligations – Violation of a free proprietary software license may require you to
rewrite software or acquire a commercial license – Violation of a commercial software license may expose you to
significant financial penalties and/or litigation
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Recent Audit Issue Examples • Affero GPL v3, GPL v3
and LGPL v3 – Increasing use of the “v3”
licenses – Implement policies early on
to be ready for the v3’s
• Dependency on obsolete OSS packages – MySQL example - Use of an
older version (under LGPL 2.1) instead of current version (under GPL 2.0) to avoid GPL impact in commercial product
• Dependency Issue “Workarounds” – Tell customer to download OSS
package(s) to avoid distributing a copyleft-licensed OSS component (e.g. MySQL or FFmpeg)
• SaaS / Cloud / Mobile – Copyleft-licensed “scripting
language” components may have a major impact on Cloud-Deployed apps
– Downloaded apps often do not comply with OSS license obligations
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Software Audit Process Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Software Analysis Scope • Open Source Code
– Software license compliance for open source components – Interaction of open source with proprietary components
• Third-party Proprietary Code – Typically free redistribution but restrictions on changes, field of
use, etc. • Commercial Code
– Typically subject to a company-to-company contracts • Code By Origin
– Estimate proportions of open source, third-party and original code • Vulnerability
– Report known code-level components vulnerabilities reported in the Open Source and National Vulnerability Databases
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Software Analysis Deliverables • Complete inventory of OSS and third-party components in
Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for
resolution that can be factored into the deal terms – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination”
• Checklist of commercial components as input to due diligence for contract review
• Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial)
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Preparation (1/2) • Establish NDA with seller
– Two-way or three-way
• Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code
• Prepare/agree quote – always fixed fee, no surprises • Schedule project
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Preparation (2/2) è Many targets are anxious about the process
– General level of anxiety is inversely proportional to prior M&A experience of executives
– We do some hand holding to make them feel comfortable – Assure seller that they review all findings first so no surprises – Explain the process and tools to the seller
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
License & Origin Analysis (1/2) Analysis Activities • Scan files for license, copyright and other origin clues
• Match target code to reference code repository for origin and license detection (based on digital “fingerprints”)
• Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code
• Analyze software interaction and dependency patterns for copyleft-licensed components as needed
• Additional domain-specific investigations typically for embedded devices and applications of media codecs
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Review & Report (1/2) Activities • Review draft findings with product team
– Ask product team to respond to each Action item • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit
– Incorporate feedback and answers from product team into the Software BOM and Report
– We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s.
• Complete final report – Second review cycle with product team – Release the report – Conference call with buyer to present findings & answer questions
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project
data and summary of the Action items and Responses
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Software Audit Tools • nexB typically uses a combination of tools for a software
audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open
source or commercial)
• Multiple layers of analysis – Direct scan for license and copyright notices – Component matching for open source and publicly available third-
party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed
• Review and validation by software experts • All require expert humans to interpret the results!
Software audit: M&A
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Why nexB (1/2) 100% of our customers are repeat customers and references
We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution
and seller Responses
Additional Information
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Why nexB (2/2) • Trusted third party
– Mitigates confidentiality concerns of a seller company – Maintains proper segregation of information during acquisition
negotiations – Enables objective analysis with appropriate consideration of
feedback from all parties
Additional Information
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Contact us Contact person:
Pierre Lapointe, Customer Care Manager [email protected] + 1 415 287-7643
More information:
http://www.nexb.com/
Additional Information
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Lessons Learned – Acquisitions (1/2) • Schedule is always a major issue • Initiate a software audit early because
– Seller company will probably not have done this before – Negotiation of an NDA takes longer than you expect – Negotiation of access to artifacts and people takes longer than you
think • The review of findings and recommendations may require
several iterations with target company – Get answers for open issues – Get agreement about remediation strategies – Get agreement that report is objective and reasonable
Additional Information
© 2014 nexB Inc. All rights reserved. Confidential and proprietary
Lessons Learned – Acquisitions (2/2) • Identify the “crown jewels” and key platforms of the seller
technology – Concentrate the audit on the most important parts – For products with multiple operating system versions, focus on the
most important platforms
• Some issues can be specific to the open source policies of the Buyer – For instance tolerance for certain version of open source licenses
or proprietary Linux drivers varies among companies – We apply Buyer company policies if available, – Otherwise we apply “conservative” community standards – Exceptional cases may require additional discussion with legal and
and business teams to evaluate the risks
Additional Information