Accurate Results and Agile Business Support in Demanding Technical Due Diligence – Case Study

CUSTOMER

A world leading vendor of software solutions for Customer Relationship Management (CRM)

This world leading vendor of software solutions for customer relationship management (CRM), uses the latest technologies in cloud-based services, social media, mobile communications, the Internet-of-Things (IoT), Artificial Intelligence (AI), and more. The customer is headquartered in the San Francisco Bay Area and caters to a global market.

CHALLENGE

Up to a dozen M&A transactions per year

A strategic pillar in the business of the customer is to grow inorganically through mergers and acquisitions. Acquired companies and businesses are integrated into the customer’s products and services portfolio according to a fast-paced schedule and require extensive technical due diligence.

The customer includes open source audits in their technical due diligence of target companies, which results in a complete Bill-of-Materials (BoM) of proprietary and open source components in the target company’s source code.

The customer’s open source officers were using audit services from a competing vendor, but searched for a new alternative due to:

• High cost
• Insecure target source code handling
• Inaccurate results with many false positives

SOLUTION

Blind audits by FossID

The customer chose FossID as their exclusive open source software auditor since 2017, and whenever an M&A transaction process is initiated, FossID executes the open source related part of the technical due diligence

FossID uses their own tool, created “for the programmers,” based on years of addressing frustrating experiences with existing vendors, and a belief that software composition analysis could be made faster, more accurate, and more effective

FossID and the customer agreed on a process in which the target company scans its software repositories and uploads only its digital signatures securely to FossID, which then uses the signatures for the audit. No source code ever leaves the premises of the target company and FossID does not even need to know the name of the target company. After having completed the audit, FossID delivers several comprehensive reports to the customer, listing all the findings:

• Software Bill of Materials (SBOM) in various formats including SPDX
• Security vulnerability report
• FossID authored executive summary

RESULT

Accurate results and agile business support

The customer was happy to realize that the process of scanning the target company’s source code could be made without exposing it and transferring it to the same infrastructure as the audit tools. Instead, the audits could be performed “blindly,” where only the digital signatures of the code were used to query the knowledge base

BENEFITS