In the course of mergers and acquisitions, a thorough audit of software assets is critical to the transaction’s success. Technical due diligence (TDD) is a critical process that is used to scrutinize the technology stack of the target company. An open source software audit ensures that acquirers understand what they are buying, identify potential risks, and validate the technological assets’ value. This due diligence is especially important when the acquisition involves software assets, where the complexity and legal implications of software licenses, particularly open source licenses, demand careful examination.
The Value of Third Party Software Audits
Open source and third-party software comprise approximately 75% of the typical software codebase. This introduces complex challenges, primarily due to the variety of licenses and obligations attached to open source software (OSS). A third-party and open source software audit during the due diligence phase helps to:
- Ensure Compliance: Different OSS licenses have different requirements and restrictions. A software audit identifies the OSS components and their licenses, ensuring the acquiring company understands and complies with these terms.
- Minimize Legal and Security Risks: Some OSS licenses have stringent conditions that could pose legal risks for use in commercial products, while others may have security vulnerabilities. Identifying these legal and security risks helps mitigate potential legal battles and security exploits.
- Clarify Asset Value: Understanding the extent and nature of OSS within the software assets clarifies the true value of the intellectual property and what’s being acquired, affecting the deal’s terms and valuation.
- Support Strategic Decision-Making: Insight into the software assets’ composition aids in making informed decisions regarding integration, future development, and potential hurdles post-acquisition.
How to Conduct Software Audits in M&A Technical Due Diligence
Given the unique nature of each transaction, there are times when a preliminary, high-level analysis is beneficial to grasp the general state of the target software. For such initial assessments, an automated software composition analysis (SCA) scan insights report might be most appropriate. It utilizes comprehensive scanning tools to quickly produce essential insight that identifies the various open source software (OSS) licenses present, highlights potential compliance challenges or restrictions, and calls out security vulnerabilities. Additionally, this report offers a preliminary count of known code snippets found, hinting at the amount of potentially borrowed code within the software. Crucially, beyond just licensing risk, these reports evaluate the security risk by identifying known vulnerabilities in OSS components, which is vital for the M&A risk assessment.
Should the SCA insight report reveal the presence of licenses and snippets that could pose risks, a more in-depth, forensic-style third-party and open source software risk audit is advisable. This thorough service involves manual scrutiny by expert auditors to eliminate false positives and accurately identify code snippets that pose a risk, ensuring unparalleled precision in the software audit.
Safeguarding Intellectual Property in the Process
Another nuance in the M&A technical due diligence process is the practical need to protect intellectual property (IP) of the target’s software codebase. To meet this need, acquirers should consider how exactly the software audit is performed. Will source code need to be transferred? Will the software be secure during the transfer? How will you protect against data leakage during or long after the audit?
An effective way around this risk is to conduct what is called a “blind scan” or “blind audit”. In this process, the SCA provider never receives the target source code. Rather, a tool is provided to generate a digital fingerprint of the source code which is then scanned and compared against a knowledge base of known open source software components.
A Match occurs when a fingerprinted file is fully, or partially, matched to the Knowledge Base. Three Match Types are possible:
- Component Match – a binary that represents a compiled open source component
- Full File Match – a single file that matched a single file from an open source component
- Partial Match – a block of code that was matched to an open source repository
With a blind scan approach, no source code is ever exposed ensuring maximum security and confidentiality. A a result, legal obstacles to getting started are also eliminated. And lastly, a blind audit can be done remotely – no need to bring auditors on-site.
The Impact of AI-Generated Code on M&A Technical Due Diligence
With the proliferation of AI-generated code, the emphasis on snippet-level analysis becomes increasingly important. As generative AI coding assistants like GitHub Copilot, Google’s Codey, and Amazon CodeWhisperer, just to name a few, gain popularity, the risk of unintentionally incorporating code snippets that carry incompatible third-party licenses or hidden security vulnerabilities increases dramatically. Therefore, integrating snippet-level scrutiny into the technical due diligence process adds an essential layer of rigor in M&A transactions involving software assets, safeguarding against the complexities introduced by AI advancements in software development.
The FossID Team byline indicates this article reflects the collective work of the FossID team. With nearly a decade of expertise delivering open source auditing services, FossID is a pioneer in the critical field of software auditing and compliance. FossID’s Software Composition Analysis (SCA) tool, Workbench, and professional services are designed to ensure comprehensive open source compliance and security in software development.