Contenu connexe Similaire à Software audit for acquisition due diligence with nexB (20) Software audit for acquisition due diligence with nexB1. Copyright © nexB Inc.
Software Provenance Analysis -
Acquisition Due Diligence
2. Copyright © nexB Inc.
Agenda
About nexB
What we do
Our experience
Software Audit: M&A
Software Audit Process
Software Audit Tools
Additional Information
Why nexB?
Contact us
License Violation Risks & Recent Audit Issues
Lessons Learned
3. Copyright © nexB Inc.
Our business is software component management
• Current focus on open source governance and compliance
• Primary product is an enterprise system for tracking all software
components in your products,
• Plus practical open source solutions for integrating software
engineering systems with enterprise systems
We offer
• DejaCode™- Open Data Platform for Managing Open Source
• Open Source Software Audit Services
• Open Source Scanning & Attribution Generation Tools
We are
• Software provenance analysis experts
• Active open source developers & Linux Foundation members
About nexB Inc. – What we do
4. Copyright © nexB Inc.
About nexB Inc. – Our experience
Recognized by the buyers and target companies as:
• Experts in software origin analysis
• A fair and trusted intermediary
Two key reasons to engage nexB:
• Combination of automated analysis tools and our expertise to
clearly define Issues and practical remediation actions
• Identification of the subset of software from the Development
codebase that is actually distributed or deployed to identify
potential impact of a software IP risk
We have performed more than 500 software audit projects to-date
• Expertise in all software IP
5. Copyright © nexB Inc.
Software Audit: M&A – Process
Scope
Original
Code
Open Source Code
Commercial
Code
7. Copyright © nexB Inc.
Scope options - depending on your schedule and priorities
• Copyleft & Commercial issues
Ø Focus only on copyleft and commercial code
• Deployed Bill of Material only
Ø Focus on what code is actually visible to a customer
• Deployed Bill of Material only with Development codebase details
Ø BOM of Development codebase components that are Deployed
on the product
• Development codebase inventory
Ø Inventory of Development codebase components
Ø Details for Deployed components
Ø Summary for non-Deployed
Software Audit: M&A – Process
8. Copyright © nexB Inc.
Software Audit: M&A - Deliverables
Specific Action items and recommended actions for resolution
that can be factored into the deal terms
• Including possible exposure for older product versions
• Detailed analysis for copyleft “contamination”
Checklist of commercial components as input to due diligence for
contract review
Analysis of how much code is original versus borrowed (OSS) or
purchased (Commercial)
9. Copyright © nexB Inc.
Software Audit: M&A – Preparation
Establish NDA with seller
• Two-way or three-way
Scope audit effort
• Audit profile (questionnaire)
• Size of code base - # files and lines of source code
• Disclosure of known third-party and open source software
• Onsite or remote access to the code
Prepare/agree quote – always fixed fee, no surprises
Schedule project
10. Copyright © nexB Inc.
Many targets are anxious about the process
• General level of anxiety is inversely proportional to prior M&A
experience of executives
• We do some hand holding to make them feel comfortable
• Assure seller that they review all findings first so no surprises
• Explain the process and tools to the seller
Software Audit: M&A – Preparation
11. Copyright © nexB Inc.
Software Audit: M&A - License & Origin Analysis
Analysis Activities
• Discovery: scan files for license, copyright and other origin clues
• Identification: match target code to reference code repository for
origin and license detection (based on digital “fingerprints”)
• Map Deployed code to Development code to:
Ø Validate that we have a complete Development codebase
Ø Filter issues based on the effective Deployed/Distributed
code
• Analyze software interaction and dependency patterns for
copyleft-licensed components as needed
• Additional domain-specific investigations
12. Copyright © nexB Inc.
Software Audit: M&A - License & Origin Analysis
Results
• Software Inventory and Bill(s) of Materials
• Draft Action items & recommendations
13. Copyright © nexB Inc.
Software Audit: M&A - Review & Report
Activities
• Draft findings review with product team
Ø Ask product team to respond to each Action item
• Accept recommended solution or propose another
approach
• Acknowledge & investigate
• Not a request to fix anything during the audit
Ø Incorporate feedback and answers from product team into
the Software BOM and Report
Ø We may “agree to disagree” – e.g. we then present two
points of view: ours and the seller’s.
• Complete final report
Ø Second review cycle with product team
Ø Release the report
Ø Conference call with buyer to present findings
14. Copyright © nexB Inc.
Software Audit: M&A - Review & Report
Results
• Final Software Inventory / BOM spreadsheets
• Final Report - narrative with executive summary, project data
and summary of the Action items and Responses
15. Copyright © nexB Inc.
Software Audit: M&A - Software Audit Tools
nexB typically uses a combination of tools for a software audit
• Our own ScanCode toolkit is the primary tool
• Other tools used as needed or as licensed by a customer (open
source or commercial)
Multiple layers of analysis
• Discovery: direct scan for license and copyright notices
• Identification: component matching for open source and publicly
available third-party components (freeware/proprietary)
• Analysis of source code and pre-built libraries (binary)
• Interaction and dependency analysis as needed
Review and validation by software experts
All require expert humans to interpret the results!
16. Copyright © nexB Inc.
Additional Information: Why nexB?
Trusted third party
• Mitigates confidentiality concerns of a seller company
• Maintains proper segregation of information during acquisition
negotiations
• Enables objective analysis with appropriate consideration of
feedback from all parties
17. Copyright © nexB Inc.
Additional Information: Contact us
Contact person
Pierre Lapointe, Customer Care Manager
plapointe@nexb.com
+ 1 415 287-7643
More information
http://www.nexb.com/acquisition_due_diligence_audit.html
18. Copyright © nexB Inc.
Additional Information: License Violation Risks
source code
available
source with
limitations
(Proprietary)
Copyleft
FOSS
Attribution
Binary-only
(Proprietary)
Free
Software
Freeware /
Shareware
many Java
libraries
Microsoft
shared source
Sun
SCSL
GNU GPL
GNU LGPL
MPL
CDDL
BSD
MIT
Apache
EPL
19. Copyright © nexB Inc.
Additional Information: Recent Issue Examples
Dependency Issue “Workarounds”
License violation
20. Copyright © nexB Inc.
Additional Information: Emerging Issue Examples
Cloud computing and Dual Licensing
Personal Devices and Application store markets
21. Copyright © nexB Inc.
Additional Information: Lessons Learned
Schedule is always a major issue
Initiate a software audit early because
• Seller company will probably not have done this before
• Negotiation of an NDA takes longer than you expect
• Negotiation of access to artifacts and people takes longer than
you think
The review of findings and recommendations may require several
iterations with target company
• Get answers for open issues
• Get agreement about remediation strategies
• Get agreement that report is objective and reasonable
22. Copyright © nexB Inc.
Additional Information: Lessons Learned
Identify the “crown jewels” and key platforms of the seller
technology
• Concentrate the audit on the most important parts
• For products with multiple operating system versions, focus on
the most important platforms
Some issues can be specific to the open source policies of the
Buyer
• For instance tolerance for certain version of open source
licenses or proprietary Linux drivers varies among companies
• We apply Buyer company policies if available,
• Otherwise we apply “conservative” community standards
• Exceptional cases may require additional discussion with legal
and and business teams to evaluate the risks