Getting ready for open source due diligence as part of an M&A corporate transaction is not that hard or complex especially if you have an open source program that manages your open source usage, compliance and contribution. However, if you don’t have such a program and you need to establish a functioning program in a snap, we’re happy to provide you with a few pointers to do so.
What are the core building blocks you should establish to help you capture open source software in your code base and be ready to pass an open source due diligence?
Audit Your Complete Code Base
You need to maintain a complete software inventory for all software components including their origin and license information. How do you achieve this? By running an audit on the complete code base. The goal is this exercise is two fold:
- First, it will allow you to establish baseline compliance for your software stack, from which you can just simply do incremental compliance for any new code entering the stack.
- Second, it will provide you with a Software Bill of Materials (SBOM) that lists all open source software, their origin packages and license information, which is a required artifact in any type of open source due diligence as part of an M&A transaction.
Establish an Open Source Policy and Process
Given the widespread use of open source, it is almost impossible for any organization creating products or offering software-based services (regardless of industry) not to incorporate open source code in their product or service applications. Therefore, as part of M&A transactions, it is expected that the company (subject to the due diligence) showcases their open source policy and process as part of the due diligence. Hence, the need to establish a lightweight open source policy and process that serve the purpose while not creating additional burden to your development teams. Simply put, the policy outlines the set of rules that govern the management of open source software and the process details how the organization will implement these rules.
Appoint a Resource to Oversee Open Source Management
In large enterprises, the open source compliance team is a cross-disciplinary group consisting of various individuals tasked with the mission of ensuring open source compliance and overseeing the use of and contribution to open source projects. However, in smaller companies or startups, this can be as simple as an engineering manager supported with a legal counsel ensuring that all execution around open source software is in line with the company policy.
Provide Basic Training on Open Source, Compliance and Company Policy
Education is an essential building block in any compliance program to ensure that employees possess a good understanding of the company’s policy and process. In this specific context, the goal of providing open source and compliance training is to raise awareness of the company’s open source strategy, policy and process, and to build a common understanding of open source licensing. It’s important to note that there are many free and trusted education resources available for use. For example, the Linux Foundation offers free training on open source compliance targeted for developers.Therefore, we encourage you to explore such resources which will help you shortcut your efforts.
Adopt Tools to Increase Automation and Efficiencies
Organizations often use tools to automate source code audits to discover open source code, and identify their licenses and compile a list of notices that should be made available to the end users. FossID is one such tool and we would welcome the opportunity to have a call with you, demonstrate our solution and offer you a trial license to take our tool for a test drive.
Use Latest Releases of Open Source Packages for Security Purposes
One of the benefits of using an integrated software composition tool is the ability to scan code for known security vulnerabilities, discovering versions of open source components that have security vulnerabilities and resolving these vulnerabilities most often by either a patch or by upgrading to the latest version. The goal of such an exercise is to eliminate the presence of any currently known vulnerabilities in used open source software. As a result, the M&A due diligence will showcase that you have done that exercise and it is part of your ongoing development process.
Self-certify With OpenChain
The OpenChain Project is home to the OpenChain ISO 5230, an International standard for open source license compliance. It offers a free online self-certification that organizations can go through to demonstrate their existing open source compliance practices as defined by the standard. It is a great starting point for organizations to self assess their internal compliance implementation and identify areas for improvements. It is also very helpful to go through the self certification and provide the results as part of the due diligence. Optionally, there are several OpenChain partners who can be professionally hired to perform that exercise as an independent party.
Open Source Audits by FossID
FossID’s open source audit services help you understand which open source components reside in the audited software code base, and if it is compliant with the discovered license requirements. We have pioneered an innovative approach that we call BlindAuditTM which allows us to perform audits and generate reports without exposing your source code.
You can read more about it at https://fossid.com/open-source-audits/ and we’re more than happy to have a call with you and discuss your specific requirements.
