The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

From diligence to integration: How software audits inform post-close M&A strategies

Phil Odence

Sep 21, 2023 / 3 min read

Software due diligence is an all-important aspect of any merger and acquisition (M&A) transaction, and in the tech M&A world, a target’s software assets are a significant part of the valuation. This due diligence process should identify a target company’s open source license obligations, application security and code quality risks, and the organization, processes, and practices that compose the software development life cycle. The findings of this assessment provide a comprehensive pre-close view of the state of the target’s software and capabilities, and enable planning of the post-close integration into the acquiring company. Black Duck® audits cover the breadth and depth of software due diligence, and many companies augment their own due diligence with our services.


Open source and third-party software audits

Our open source and third-party software audits provide a complete and accurate Software Bill of Materials. Using a combination of sophisticated tools and human experts, we dig into the target’s codebase to discover all open source and third-party components. Based on the findings, the audit highlights associated licensing obligations and conflicts, known security vulnerabilities, and operational risk, and provides guidance on remediation. Today, about 75% of a typical proprietary codebase is open source and third-party software, and most targets are unable to completely identify these components in their code. So visibility into the target's open source usage is essential to mitigate risks and ensure compliance with the acquirer’s policies—acquiring companies tend to have more stringent requirements. While open source audit results rarely turn up deal-killers, they usually identify remediation work, sometimes extensive, that will have to be completed before full integration.

Application security audits

Application security due diligence requires a multilevel approach: analyzing applications’ source code, testing in their full running state, and reviewing deficiencies related to the security controls in the design of the application. In the current cyberthreat landscape where cyberattacks are becoming more sophisticated and frequent, it is imperative to identify and address security risk to ensure that software being acquired is resilient to potential attacks. The results of the security audit often lead to the implementation of additional security controls or the remediation of identified vulnerabilities.

Software quality audits

Reasonable code quality and solid architectural design are also essential to successful integration and thus a focus of software due diligence. It’s important to assess the target's software for potential coding errors and design flaws that will impact the software's functionality and maintainability. Identifying and addressing areas that are candidates for code refactoring can help ensure that the acquired software is of high quality and easy to maintain, reducing the risk of future technical issues and ensuring that the software can be easily integrated into the acquiring company's technology stack. Code quality and design audits may lead to changes in the software development process, such as the adoption of new coding standards or the implementation of automated testing and quality assurance tools. Sometimes they justify the need for rearchitecting “hairball” codebases so that they will not be a drag on developer productivity.

The processes and practices in a target’s software development life cycle and the quality and maturity of the key personnel, practices, coding standards, processes, and tools are all critical to understand prior to a transition. Depending on plans for the acquisition—e.g., will the company be rolled into its new parent or run as a subsidiary—this information is vital to laying out organizational roadmap.

Reduce your risks with a comprehensive audit

Software due diligence may turn up unanticipated surprises for pre-close consideration, but the findings are just as critical to informing the post-close integration and plans. Deals hinge on a business case that may need to be revisited if the diligence uncovers issues adding up to a pile of technical debt that will significantly impact integration or the release of a new product, or even cause a delay of closing until the seller addresses. A business unit absorbing the acquisition runs the risk of being burdened by inherited technical debt if it’s not discovered pre-close, but significant issues identified in due diligence can be accounted for as part of the deal—costs that may be passed onto the seller as part of the transaction.

In conclusion, software due diligence is a critical aspect of any M&A transaction involving software assets. The findings of the due diligence process are essential in informing the post-close integration of the target's software, ensuring that the acquired software is secure, compliant, of high quality, and generally not overburdened with technical debt. By conducting a thorough software due diligence process, acquiring companies can reduce the risk of future technical issues and maximize the chances of a successful acquisition.

eBook

The Agile Security Manifesto

M&A Software Due Diligence Checklist

Continue Reading

Explore Topics