nexB: Software Audit for Acquisition Due Diligence

nexB - Software Audit for Acquisition Due Diligence

© 2014 nexB Inc. All rights reserved. Confidential and proprietary


Agenda •  About nexB

–  What nexB does –  Our experience

•  Software Audit: M&A –  License Violation Risks & Recent Audit Issues –  Software Audit Process –  Software Audit Tools

•  Additional Information –  Why nexB? –  Contact us –  Lessons Learned


What nexB does •  Enable component-based

software development –  Software provenance (origin

and license) analysis services

–  Software asset management tools

•  Software audit services –  Acquisitions –  Software product

releases –  Internal (IT) systems

•  Active open source developers –  Lead committers –  Contributors to OS projects

•  Expertise in software IP –  All modern languages and

environments –  Embedded systems specialist

About nexB


Our experience is our difference •  nexB has been recognized by the buyers and target

companies as: –  experts in software origin analysis –  a fair and trusted intermediary

•  nexB identifies issues along with practical remediation steps: –  Making sense for business and legal teams –  Actionable by the product teams

•  300+ software audit projects completed to-date –  For due diligence prior to product releases, product licensing or

M&A –  Aggregated value of the acquisitions transactions > $5B –  Aggregated audited codebase > 3 billion lines of source code

About nexB


License Violation Risks •  Violation of open source software license obligations

–  “Copyleft” licenses (L/GPL, etc.) may force you to release proprietary software as open source or rewrite the software

–  Even “business-friendly” licenses (Apache, etc.) require you to identify and protect copyright owner rights and may impact your patent portfolio

–  Negative reaction from OSS community may impair your brand •  Violation of third-party proprietary or

commercial software license obligations –  Violation of a free proprietary software license may require you to

rewrite software or acquire a commercial license –  Violation of a commercial software license may expose you to

significant financial penalties and/or litigation

Software audit: M&A


Recent Audit Issue Examples •  Affero GPL v3, GPL v3

and LGPL v3 –  Increasing use of the “v3”

licenses –  Implement policies early on

to be ready for the v3’s

•  Dependency on obsolete OSS packages –  MySQL example - Use of an

older version (under LGPL 2.1) instead of current version (under GPL 2.0) to avoid GPL impact in commercial product

•  Dependency Issue “Workarounds” –  Tell customer to download OSS

package(s) to avoid distributing a copyleft-licensed OSS component (e.g. MySQL or FFmpeg)

•  SaaS / Cloud / Mobile –  Copyleft-licensed “scripting

language” components may have a major impact on Cloud-Deployed apps

–  Downloaded apps often do not comply with OSS license obligations

Software audit: M&A


Software Audit Process Software audit: M&A


Software Analysis Scope •  Open Source Code

–  Software license compliance for open source components –  Interaction of open source with proprietary components

•  Third-party Proprietary Code –  Typically free redistribution but restrictions on changes, field of

use, etc. •  Commercial Code

–  Typically subject to a company-to-company contracts •  Code By Origin

–  Estimate proportions of open source, third-party and original code •  Vulnerability

–  Report known code-level components vulnerabilities reported in the Open Source and National Vulnerability Databases

Software audit: M&A


Software Analysis Deliverables •  Complete inventory of OSS and third-party components in

Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for

resolution that can be factored into the deal terms –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination”

•  Checklist of commercial components as input to due diligence for contract review

•  Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial)

Software audit: M&A


Preparation (1/2) •  Establish NDA with seller

–  Two-way or three-way

•  Scope audit effort –  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code

•  Prepare/agree quote – always fixed fee, no surprises •  Schedule project

Software audit: M&A


Preparation (2/2) è Many targets are anxious about the process

–  General level of anxiety is inversely proportional to prior M&A experience of executives

–  We do some hand holding to make them feel comfortable –  Assure seller that they review all findings first so no surprises –  Explain the process and tools to the seller

Software audit: M&A


License & Origin Analysis (1/2) Analysis Activities •  Scan files for license, copyright and other origin clues

•  Match target code to reference code repository for origin and license detection (based on digital “fingerprints”)

•  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code

•  Analyze software interaction and dependency patterns for copyleft-licensed components as needed

•  Additional domain-specific investigations typically for embedded devices and applications of media codecs

Software audit: M&A


License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations

Software audit: M&A


Review & Report (1/2) Activities •  Review draft findings with product team

–  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit

–  Incorporate feedback and answers from product team into the Software BOM and Report

–  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s.

•  Complete final report –  Second review cycle with product team –  Release the report –  Conference call with buyer to present findings & answer questions

Software audit: M&A


Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project

data and summary of the Action items and Responses

Software audit: M&A


Software Audit Tools •  nexB typically uses a combination of tools for a software

audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open

source or commercial)

•  Multiple layers of analysis –  Direct scan for license and copyright notices –  Component matching for open source and publicly available third-

party components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed

•  Review and validation by software experts •  All require expert humans to interpret the results!

Software audit: M&A


Why nexB (1/2) 100% of our customers are repeat customers and references

We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution

and seller Responses

Additional Information


Why nexB (2/2) •  Trusted third party

–  Mitigates confidentiality concerns of a seller company –  Maintains proper segregation of information during acquisition

negotiations –  Enables objective analysis with appropriate consideration of

feedback from all parties



Contact us Contact person:

Pierre Lapointe, Customer Care Manager [email protected] + 1 415 287-7643

More information:

http://www.nexb.com/



Lessons Learned – Acquisitions (1/2) •  Schedule is always a major issue •  Initiate a software audit early because

–  Seller company will probably not have done this before –  Negotiation of an NDA takes longer than you expect –  Negotiation of access to artifacts and people takes longer than you

think •  The review of findings and recommendations may require

several iterations with target company –  Get answers for open issues –  Get agreement about remediation strategies –  Get agreement that report is objective and reasonable



Lessons Learned – Acquisitions (2/2) •  Identify the “crown jewels” and key platforms of the seller

technology –  Concentrate the audit on the most important parts –  For products with multiple operating system versions, focus on the

most important platforms

•  Some issues can be specific to the open source policies of the Buyer –  For instance tolerance for certain version of open source licenses

or proprietary Linux drivers varies among companies –  We apply Buyer company policies if available, –  Otherwise we apply “conservative” community standards –  Exceptional cases may require additional discussion with legal and

and business teams to evaluate the risks


Technology

nexB: Software Audit for Acquisition Due Diligence