Technical Due Diligence for M&A: A Perspective from Corporate Development at SAP
-
Upload
black-duck-software -
Category
Business
-
view
3.909 -
download
5
description
Transcript of Technical Due Diligence for M&A: A Perspective from Corporate Development at SAP
Technical Due Diligence for M&A:
A Perspective from Corporate Development at SAP
Speakers
Peter Vescuso
EVP of Marketing & Business Development,
Black Duck Software
Hal Hearst
Sr. Director, Olliance Group
Russell Hartz
Corporate Development, SAP
Agenda
Market trends
Why technical DD is needed
M&A Issues
How it works– Code Scanning– Analysis
SAP: Perspective from a Major Acquirer
Summary
Note: All registered participants will receive a follow-up email with a copy of the slides and a link to the webinar recording.
Open source is becoming pervasive and ubiquitous– It’s in your phone, your HD TV, your printer, your web
browser, Google, Amazon, Twitter, etc.– Gartner reports 85% of enterprises use OSS today
Economics of OSS are compelling Virtually all IT organizations now use OSS; much is ad
hoc 45% use is mission-critical
Market Need – “Managing Abundance” < 30% of customers have any OSS Policies Need: address challenges of Multi-Source development:
- Compliance/Management – IP, security, export- Management/Automation – policy, process, multi-
source
451 Group Survey on OSS Use (December 2009)
• 87% of companies say OSS meets or exceeds cost savings expectations
• 39% of OSS users ranked flexibility as the primary benefit
Market Trends
Why Technical DD is Needed: Many Paths for Open Source to Get into a Code Base
YOUR COMPANY – TOOLS, PROCESSES
Your Software Application
Open Source Software
Internally Developed
Code
Outsourced Code Development
Commercial 3rd-Party Code
Individuals
Universities
Corporate Developers
Code
Obligations
“Open source is a necessary component of all organizations' supply chain strategies. It is essentially a way to manage cost and mitigate 3rd party dependencies.” Brian Prentice, Gartner Group
Cambridge
San Mateo
Russia
Bangalore
5
Why Technical DD is Needed: Issues
Open Source Problems– Open source issues arise in the development process and
software supply chain– Discovery of open source post open source
representations– Anonymous: Entire source code posted on SourceForge
Risks– Lose deal– Delay deal– Reduced price/valuation– Lost revenue
Why Technical DD is Needed: Issues
Use of open source is widespread (despite what your CTO tells you)– “A ‘don’t ask, don’t tell’ pact obscures the reality of OSS use” (Jeffery
Hammond, Forrester Research,)
Major acquirers and licensees are increasingly sensitive to uncertainty in general and this issue in particular (some have separate due diligence process for open source)
Difficult to correct problems during merger frenzy
Delay may be deadly to the deal
Open Source Licenses
Open source licenses give broad rights– Copy, modify, redistribute– Includes express or implied patent rights– But also obligations, which are triggered on
distribution not on use
Product Risks – Uncertain "pedigree"– "AS IS“– Copy left nature of GPL & other licenses
Risks of Unmanaged Code
Loss of Intellectual
Property
Export Regulations Injunctions
Security Vulnerabilities
Software Defects
License Rights and Restrictions
Contractual Obligations
Escalating Support Costs
Software Licensing Violations
Best Buy
Cisco
Verizon
Monsoon Multimedia
Xterasys
High-Gain Antennas
Bell Microproducts
Super Micro Computer
Software Freedom Law Center
Motorola
Acer
Skype
D-Link
BT
gpl-violations.org
Others
Jacobsen v Katzer
ASUS eeePC laptop
Diebold
Valuation
Infringement
Remediation Costs
New revenue
Support costs
Vulnerability
Compare code in target’s code base against comprehensive KB of open source components
Generate a software Bill of Materials, identify license obligations and conflict analysis
Validation Server
Projects Licenses
Open Source
Third Party Code
Internal Code
Black Duck Analysis
KnowledgeBase License Conflict
Bill ofMaterials
Code Base
Report
Technology Allows Easy Discovery of Unknown Open Source
The Black Duck KnowledgeBase:Unmatched Depth & Breadth
– Over 100 billion of lines of code– 550,000 + OSS projects, all versions– Over 5,060 sites
– Representing 2,000 + unique licenses– 50,000+ security vulnerabilities– 550+ cryptographic algorithms
Extensive metadata– Name, description, versions, URL– License, programming language, OS– National Vulnerability Database
– Cryptography– Code prints of source/binary– Customer-specific/contributed
Comprehensive open source database
• Addresses the “long tail” of OSS projects
• Continuously expanded
• Custom code printing to add your own code
• Daily security vulnerability alerts
• Automated metadata updates issued ~2x month
Code Prints
Encoded representation of source code– Black Duck KnowledgeBase represented by billions
of Code Prints
Robust Code Detection – Exact and fuzzy Code Print comparison – Statistically-based, pattern-matching
Extensible to Additional Code – Add any code to local copy of KnowledgeBase– Track / manage sensitive source code
Confidential– Source code and Code Prints remain local
Code Prints impossible to reverse engineer
Code Prints make it all possible– Many TB of code can reside on a local server– Efficiently searched to speed time-to-results– Finds the origin of code even without an audit trail
Code matching – Compare Code Prints of your source code to the
Black Duck KnowledgeBase– Detects matches of components, files and
code fragments Finds reused code even when altered Reports project / license for confirmation
– Language independent
Dependency analysis– Import/include statements
Integrated string search– Standard string search queries– Custom strings– Find licenses, copyrights, URL’s, company
names, user comments (“taken from”), …
Analysis results that are unachievable by a manual process
Source Code Analysis
File matching– Compares checksum value to the
KnowledgeBase Libraries, class files, executables,
archives, images, and more.
Dependency analysis– Detect dependencies embedded in JAR,
CLASS, DLL, SO, etc, …
Archives and Compressed Files– Descends into archive files (zip, jar, tar,
war, …)– Recursively performs source and binary
analysis. -MD5
-The Black Duck KnowledgeBase
simplifies binary file identification
Binary Code Analysis
Over 2,000 open source and other licenses– With full license text
Licenses organized according to 24 attributes– Rights and obligations to simplify license review
Display of license conflicts Automated approval process Obligation fulfillment checklist Add custom licenses
Speed license reviews and make
better choices, earlier in the development
process
License Analytics
Remediation
Code Audit may reveal issues that need remediation
Remediation can be done…– Pre-acquisition as a condition of the sale– Post-acquisition as part of the integration
Primary Concern during Due-Diligence Phase– Does the remediation impact valuation?– What is cost & effort?– Who should do it?– When is it done?– How much risk is Acquirer taking?
Remediation options will depend upon OSS detected (license)
Conduct Code Audit
Determine Remediation
Options
Remediate
What are the Remedies?
Conform to the License– Verify Compliance to License Obligations
Check for File Modifications Confirm file level obligations are met
– Copyright statements retained– Modification notices in place– License Text in place
Publish / distribute software if necessary Update documentation/splash screens if necessary And a host of others depending upon the license
– Implement Changes– Typically done during Integration (post sale)
Change Usage– Some obligations depend upon usage scenario– Re-architect so usage of component is less integrated– Comply with more desirable license terms
What are the Remedies? - Cont.
Remove Offending Code– Black Duck Service can detect “Fossils”– Verify code can be safely removed with no impact– Typically forced on Sellers
Replace Code– Replace with other OSS– Replace with Commercial Alternative– Replace with In-house developed Code
Need Clean Room Environment?– Can be difficult if OSS component is critical– Can be lengthy and expensive
SAP Profile
Implement Flexible Business Processes
SAP Business SuiteSAP Solutions for SME
SAP NetWeaver
The SAP Solution Portfolio
Improves Business Insight
Drives Business Efficiency
Enables Flexibility & Innovation
Major acquirer: 20+ acquisitions
since 2007 valued at >$13 billion
Black Duck code scans in
15 closed deals since 2007
with total value >$7.5 billion
> 2,000 OS components
identified in target solutions
SAP’s Experience with Evolution of Target’s Response to Open Source Due Diligence
Why is SAP performing OS
diligence?
Why is SAP performing OS
diligence?
Open source due diligence is expected
Open source due diligence is expected
Past: Skepticism Present: Industry Standard
Many questions about process / NDA heavily negotiated
Many questions about process / NDA heavily negotiated
Few process questions / little
negotiation of NDA
Few process questions / little
negotiation of NDA
Require code scan to be performed on siteRequire code scan to be performed on site
Allow remote code scan
Allow remote code scan
SAP – M&A Due Diligence on Open Source
SAP asks targets (typically prior to signing a term sheet):– Provide a list of all open source in use – Do you have a policy regarding open source use?– Do you have a governance process to monitor & control
the use of open source in your products?
Following execution of a non-binding term sheet, SAP engages Black Duck to scan the target’s code for open source.
Scan results are evaluated by SAP’s open source licensing and legal groups prior to finalizing transaction
SAP M&A Open Source Evaluation Process
Evaluate and categorize risk of open source components used in target’s products– High risk components must be removed prior to SAP’s
shipment of product post-closing – Non-high risk components are dealt with following closing
as part of SAP’s standard open source governance process
SAP may terminate a transaction evaluation due to the amount of open source found in the target’s code and/or the cost of remediating high risk components
SAP Open Source Governance Process
General License Evaluation
Open source request form
Architecture Check
Legal &IP Evaluation
Applicant Briefing
Management
Approval
Warranties / liabilities Support offerings General license grant Export restrictions
Modifications
Does the license allow for modifications?
What terms apply to modifications?
Special Requirements
Required text for documentation
Copyright notices Distribution pre-
requisites in general
IP Evaluation
Product’s characteristics
Contribution policy Companies
supporting and using the open source product
Summary
Open source is pervasive and ubiquitous
Checking for open source has become an industry best practice in M&A involving software assets
Be Pro-active:– Run code scan to accurately identify the open
source components used in the your code– Create an explicit policy for using open source– Regularly audit compliance (can be
automated)