Open source security risk: Managing the threat in mergers and acquisitions

by Shandra Gemmiti on September 27, 2018

I have blogged before about the pervasiveness of open source in applications today. Synopsys and other organizations have been tracking its growth for years, particularly as it relates to the amount of open source code we find in the applications we scan. Our Black Duck On-Demand Audit team scans thousands of applications every year, mostly in M&A scenarios. Many of our customers come to us during their due diligence efforts to offer a third-party assessment of the open source in a codebase, its related license obligations, and potential security risks. This audit data gives us a unique view of the open source landscape.

In fact, in the graph below, you can see that on average, the applications we scanned in 2017 were made up of 57% open source. Many times, people look at the average amount of open source in all applications, whereas this data gives us a really good sense of how applications are being built today. Because this anonymized data comes from smaller companies being acquired in 2017, it gives us a good sense of the current state of open source.

451 Research—specifically Daniel Kennedy, research director for information security—views the prevalence of open source as a potential risk during M&A. Oftentimes, the target of a tech M&A deal is the IP captured in the application code that the company has custom-developed. What buyers are not always aware of is the more than 50% of that code that is made up of open source. Ignoring such a large chunk of the codebase can lead to a large gap in security awareness for a buyer. If the target hasn’t managed their open source usage well—and our data tells us there is always more in use than a company realizes—then buyer beware when it comes to potential vulnerabilities. Particularly when those vulnerabilities could put private or sensitive data at risk.

Sponsorships Available

Kennedy also speaks to data privacy risk as he discusses what impact GDPR (General Data Protection Regulation) has on open source in M&A. The best way to illustrate this potential risk is to walk through a thought experiment to bring two headline-making events together. Imagine with me that Equifax had just been acquired in a blockbuster M&A deal when the Apache Struts breach happened in 2017. Imagine still that the acquirer had not performed any open source diligence on Equifax ahead of the acquisition. (As we know, the Apache Struts vulnerability had been found and a patch issued well before the breach at Equifax occurred.) Finally, imagine with me that this all happened after GDPR had gone into effect.

As was highly publicized, the security breach compromised the personal data of more than 140 million people and cost upward of $400 million. That doesn’t include the additional financial impact of the fines that would have been levied under GDPR in a post-regulatory landscape. Including open source in the scope of any due diligence process helps an acquirer protect itself against this level of exposure and potential impact to deal ROI.

Kennedy does not see this trend in open source use abating anytime soon. Developers will not stop using open source as the demands on their time and agility grow, and they will continue to focus on building custom code and using open source where possible. In his final thoughts for acquirers, Kennedy recommends making software composition analysis, specifically analysis of open source, part of the M&A due diligence process to help protect against these potential risks.