SBN

M&A, trust in software, and a good night’s sleep

Building trust in your software is important, but software trust is even more important in M&A transactions.

M&A trust | Synopsys

The Black Duck® Audit team is part of the Synopsys Software Integrity Group. And Synopsys is all about trust. The Synopsys mission is to help you build trust in your software. 

There is nothing better than a good night’s sleep. And with the importance of software to almost every business today, concern about software risk can negatively impact your slumber. An estimated 99% of good sleepers trust that they won’t wake up to news of a breach or lawsuit or customer-impacting outage. Ok, that’s my estimate.

The elements of the software trust triangle are

  1. License compliance. Do the third-party components that constitute 78% of typical proprietary software require a license to use it?
  2. Application security. Is the software built in a way that thwarts clever hackers?
  3. Software quality. Is the code designed and written to be maintainable and run reliably?

Triangle 4x6_screen.png

Trust is the key to M&A success

Much like dating, the dance that precedes an M&A transaction is all about building mutual trust. And in a tech transaction, acquirers must fully trust the software they are taking on board because it embodies much of the value of the deal. Beyond the weekends and nights of work required by an M&A deal, there are plenty of concerns to keep everyone involved up at night.

A high degree of mutual trust must be established before due diligence starts—usually after months or more of engagement—because the diligence process really ups the ante on commitments and information exchange. Both sides must believe that the deal is going forward in order to justify such a big next step. Acquirers must trust that there are no big skeletons in the target’s closet. Targets must trust that the acquirers are ready to do the deal. Everyone must have some confidence that what they see is what they get. 

Don’t forget to verify

Due diligence, then, is the verify part of “trust but verify.” Going into the process on a tech deal, the software is one of the bigger unknowns. Trust though they might, sellers are reluctant to share the details of their software even during diligence with the acquirer (often a would-be competitor) should the deal fall through. Many acquirers share a reciprocal concern: If the deal falls through, they don’t want to be suspected or accused of appropriating the target’s trade secrets in the code. 

But assessing the software trust triangle—the composition and licenses, the security, and the quality of the software—requires analyzing the source code, the target’s most precious asset. Acquirers have concerns about risk in these areas. Because many targets of acquisitions lack adequate controls in their development processes, there are often software issues requiring remediation. For example, the “Open Source Risk in M&A by the Numbers” white paper found that 89% of transactions included open source components with license conflicts, and 97% contained known but unpatched security vulnerabilities.

The critical role of a trusted third party is to bridge the gap. It’s important that the acquirer trust that the third party will deliver a complete analysis of the trust triangle under the tight timelines of a typical due diligence effort (weeks, not months). But even more critical is the target’s trust that the third party will protect their intellectual property and give them a fair shake in the assessment.

Peace of mind with fast, comprehensive results

Industry-trusted Synopsys Black Duck Audits enable buyers and sellers in an M&A transaction to build trust into software due diligence. While we don’t guarantee a good night’s sleep, we promise that there will be less to keep you up at night. Trust us; we got this.

By the Numbers: Open Source Risk in M&A Webinar | Synopsys

*** This is a Security Bloggers Network syndicated blog from Application Security Blog authored by Phil Odence. Read the original post at: https://www.synopsys.com/blogs/software-security/building-trust-mergers-and-acquisitions/