SlideShare a Scribd company logo

OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17

Shane Coughlan, profile picture
Shane Coughlan

The document discusses the importance of Open Source Due Diligence (OSDD) in mergers and acquisitions, highlighting the significant risks associated with open source software, including licensing and cybersecurity risks. It outlines a structured approach for conducting OSDD, which includes preparation, source code audits, and post-acquisition integration, emphasizing the necessity of thorough investigation to ensure informed decision-making and risk mitigation. Ultimately, the process aims to identify issues, confirm values, and plan for effective remediation in the context of M&A transactions.

Software
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
OPEN SOURCE DILIGENCE: FROM RISK ASSESSMENT TO POST-CLOSE INTEGRATION JARI KOIVISTO 2024-06-17
SPEAKER Jari Koivisto Open Source Specialist
AGENDA 1 OPEN SOURCE DUE DILIGENCE (OSDD) • WHY IT IS IMPORTANT FOR M&A 2 OPEN SOURCE DUE DILIGENCE IN PRACTICE 3 OSDD SPECIALISTS’ ROLE AT POST-CLOSE 4 SUMMARY
OPEN SOURCE DUE DILIGENCE WHAT IS OSDD AND WHY IT IS IMPORTANT FOR M&A
OPEN SOURCE DUE DILIGENCE IS IMPORTANT FOR TECH M&A SOFTWARE DEVELOPMENT AND RISK TODAY • TODAY ALMOST 80% OF CODE BASES ARE OPEN SOURCE SOFTWARE, SEE SYNOPSYS' 2024 OPEN SOURCE RISK IN M&A BY THE NUMBERS REPORT FOR DETAILS • MANY POTENTIAL TARGET COMPANIES DO NOT MANAGE OSS WELL → UNKNOWN RISKS IN M&A • OPEN SOURCE DISCLOSURE LISTS THAT TARGETS PROVIDE ARE NORMALLY FAR FROM COMPLETE • ALL OPEN SOURCE CODE HAS POTENTIAL LICENSING AND CYBER SECURITY RISKS • LICENSING RISK: TARGET’S IP MAY BE AT RISK – ONCE INTEGRATED EVEN THE BUYER’S IP MAY BE AT RISK • CYBER SECURITY RISK: DATA BREACHES CAN BE VERY EXPENSIVE Source: 2024 Open Source Risk in M&A by the Numbers
OPEN SOURCE DUE DILIGENCE IS IMPORTANT FOR TECH M&A INFORMS THE DEAL AND FUTURE PLANS • IDENTIFY IF THERE ARE ANY MAJOR SURPRISES • HOWEVER, IT IS LESS ABOUT KILLING THE DEALS – BUT THAT CAN HAPPEN TOO, IF RISKS AND/OR MITIGATION COSTS ARE TOO HIGH • MANY CRITICAL/MAJOR ISSUES MAY ALSO AFFECT DEAL TERMS AND EVEN VALUATION • ESTIMATE HOW MUCH TIME AND MONEY IS NEEDED TO MITIGATE ISSUES AND INTEGRATE • HIGH CRITICALITY RISKS ARE OFTEN MITIGATED BEFORE THE DEAL CLOSES
Licensing risks •OSS Licenses have obligations that one needs to fulfill •Even permissive licenses •Components without license •E.g. Target: “We did not find any license, so we assumed that the code was public domain.” Security risks •Are there known vulnerabilities (CVEs) •According to 2024 Open Source Risk in M&A by the Numbers: • 97% of transactions contained at least one vulnerability, mean 439 vulnerabilities per transaction •94% of transactions involve code with high-risk vulnerabilities •Exploitable or not? •E.g. vulnerable only if used in 32-bit platform and Target only uses 64-bit platforms •Does Target have processes to identify and remediate security issues? Buyer to know what they are buying •Without a good Open Source DD, Buyer may spend millions/billions on something that they need to open source •E.g. OpenWrt •Is the price correct? Buyer to understand what it takes to mitigate issues •Validating Roadmap •High-risk issues → closing conditions •E.g. embedded copyleft code Open Source Due Diligence for M&A Identifying Issues Confirming Value Planning
OPEN SOURCE DUE DILIGENCE IN PRACTICE A TESTED PROCESS OF HOW TO EXECUTE OSDD FOR M&A
OPEN SOURCE DUE DILIGENCE EXECUTION APPROACHES • The goal is to find out how and how well OSS component use is managed Questionnaires and meetings • The goal is to get an understanding of the risk level • Licensing risk • Cyber security risk • Verify how effective the OSS management is • Target may have an excellent OSS Policy and training on paper, but if not put into use, those have no value • Are the codebase findings in line with the questionnaire answers? Source code audit
PREPARE BEFORE THE ACTUAL DUE DILIGENCE WORK STARTS SUCCESSFUL DD REQUIRES GOOD PREPARATION • EARLY ENOUGH: • PREPARE QUESTIONNAIRE(S) AND CHECKLIST(S) • SELECT THE 3RD PARTY AUDITOR, AGREE ON BUSINESS TERMS • AGREE ON WHO IS THE CONTACT POINT FOR THE TARGET • TARGET PERSONNEL WILL BE VERY BUSY AND HAVING A SINGLE PERSON CONTACT MAKES THEIR LIFE EASIER • ONCE THE TARGET IS KNOWN: • STUDY TARGET’S OFFERING • BUSINESS UNIT’S PLANS
OPEN SOURCE DUE DILIGENCE TIMELINE Scoping Planning and Priority Negotiate Open Source Due Diligence will take time. Agree on what products and versions need to be audited. Review issues, prioritize and create remediation plans. Some high-priority issues remediated normally pre-close. Be prepared to negotiate. Buyer to reassess deal terms.
OPEN SOURCE DUE DILIGENCE PROCESS OBSERVATIONS • BUYER WANTS TO UNDERSTAND TARGET’S: • OPEN SOURCE POLICIES AND PROCESSES • TRADITIONALLY OPEN SOURCE LICENSE COMPLIANCE WAS THE MAIN FOCUS • TODAY ADDITIONAL FOCUS ON OPEN SOURCE MANAGEMENT PROCESSES AND OPEN SOURCE VULNERABILITIES • BUYER DOES NOT HAVE ACCESS TO THE SOURCE CODE • BUYER DOES NOT WANT TO SEE THE SOURCE CODE • TARGET DOES NOT WANT TO SHARE THEIR SOURCE CODE • IN THE END OPEN SOURCE DUE DILIGENCE PRODUCES • OPEN SOURCE RISK REPORT • MITIGATION PLAN, WHICH INCLUDES ESTIMATES OF COST (TIME / MONEY) 3rd party auditor often the answer
OPEN SOURCE POLICIES AND PROCESSES BUYER TO EXAMINE THE QUALITY OF TARGET’S OPEN SOURCE POLICIES AND PROCESSES • NORMALLY NOT MUCH TIME → THE QUICKEST WAY IS TO USE A QUESTIONNAIRE AND A MEETING WITH TARGET • BUYER SHOULD ALSO REQUEST A DISCLOSURE LIST (SBOM) OF ALL 3RD PARTY COMPONENTS • GOOD INDICATOR OF TARGET’S PROCESSES • E.G. ONCE THE DISCLOSURE LIST HAD 7 ITEMS AND THE CODE BASE WAS PRETTY LARGE AND THE CODE AUDIT FOUND AT LEAST HUNDREDS OF COMPONENTS AND SNIPPETS • TIPS: • KEEP THE QUESTIONNAIRE AS SHORT AS POSSIBLE, BUT INCLUDE ALL RELEVANT AND IMPORTANT QUESTIONS • THERE ARE PUBLICLY AVAILABLE CHECKLISTS THAT CAN BE USED AS A STARTING POINT FOR THE QUESTIONNAIRE(S) • SEND THE QUESTIONNAIRE TO TARGET AS SOON AS POSSIBLE AND GIVE THEM A COUPLE OF DAYS TO ANSWER
WHAT SHOULD BE EXPLORED BASED ON THE QUESTIONNAIRE(S) AND MEETINGS WITH TARGET • DOES TARGET HAVE A WRITTEN OPEN SOURCE POLICY? • IF YES, HOW IT COMPARES TO BUYER’S OPEN SOURCE POLICY • POLICIES AND PROCESSES FOR OSS USE AND CONTRIBUTING BACK TO THE OSS PROJECTS • DOES TARGET HAVE AN OPEN SOURCE COMPLIANCE PROGRAM, OSPO, OSRB? • POLICIES AND PROCESSES HANDLING KNOWN VULNERABILITIES (CVES) • POLICIES AND PROCESSES FOR OUT-OF-SUPPORT OR DEPRECATED OSS COMPONENTS • WHAT TOOLS TARGET USES • SCA, SBOMS MANAGEMENT, VULNERABILITIES MANAGEMENT • OPENCHAIN CERTIFIED? • ISO 5230 CONFORMANT? AND/OR ISO 18974 CONFORMANT?
SOURCE CODE AUDIT USING 3RD PARTY AUDITOR • TYPICALLY TARGET’S SOURCE CODES DELIVERED TO THE AUDITOR • AUDITOR CAN ALSO GO TO TARGET’S SITE OR HAVE A PROXY LAPTOP THERE • SNIPPET-LEVEL AUDIT RECOMMENDED • COPYLEFT SNIPPETS IN TARGET’S IP • E.G. CC-BY-SA SNIPPETS FROM STACKOVERFLOW VERY COMMON • GPL AND OTHER COPYLEFT SNIPPETS ALSO POSSIBLE • AI-GENERATED CODE SNIPPETS NEED TO BE PROPERLY HANDLED TOO • COPYRIGHTS, ATTRIBUTIONS, LICENSE TEXTS? • COPYLEFT? * Snippet level scan & audit recommended Start Term-sheet Kick-off call Project start, introduce 3rd party auditor and Target, details of the audit. Target delivers the code to the auditor Typically auditor sets up a secure server for Target to upload the source code. The auditor executes the audit Machine scan on the code base. Identify the origin and licenses of Open Source components and snippets*. Identify also components and snippets* without any license. Audit report delivery The auditor delivers the report(s) to the buyer, the report includes the SBOM and a summary of the findings. Known vulnerabilities report may also be part of the delivery. Final meeting The auditor presents the findings of the audit and addresses any additional questions. End
EXPECTATIONS START-UP (TYPICAL TARGET): • MAY NOT HAVE WRITTEN OPEN SOURCE POLICY, BUT LIKELY HAVE PROCESSES TO ACCEPT/REJECT OPEN SOURCE COMPONENTS, E.G. ASK THE CTO • MAYBE A CODE SCAN BEFORE THE DUE DILIGENCE AS PART OF THE PREPARATION, BUT OFTEN SCANS ARE NOT PART OF THE WORKFLOW • AUDIT FINDINGS: • A LOT OF FINDINGS, BUT MOSTLY PERMISSIVE LICENSES • ALSO CC-BY-SA LICENSED SNIPPETS • CVES, (OUTDATED COMPONENTS) MATURE COMPANY: • OPEN SOURCE POLICY AND PROCESSES IN PLACE • LICENSE COMPLIANCE IS TAKEN CARE OF, SOME MAY EVEN HAVE A VIRTUAL OSPO OR OSPO • AUDIT FINDINGS: • ALWAYS SOMETHING → TARGET OFTEN PRO- ACTIVELY REMEDIATES • CC-BY-SA LICENSED SNIPPETS • CVES, OUTDATED COMPONENTS
OPEN SOURCE DUE DILIGENCE PRODUCES REPORTS AND REMEDIATION PLANS • OSS LICENSE COMPLIANCE ISSUES REPORT • OSS SECURITY ISSUES REPORT • POSSIBLY PART OF THE OVERALL SECURITY DUE DILIGENCE AUDIT REPORT • REMEDIATION PLAN(S) • HOW TO REMEDIATE OSS LICENSE COMPLIANCE ISSUES • HOW TO REMEDIATE CURRENT OSS KNOWN VULNERABILITIES • PROCESSES IMPROVEMENT PLANS • TARGET OSS TRAINING PLANS • ISSUES REMEDIATION PLANNING: TARGET KNOWS THE CODE THE BEST → KEEP THEM IN THE LOOP AND ASK FOR SUGGESTIONS AND TIMELINES Remove Replace Rewrite Renew Relicense Respect
TAKING ADVANTAGE OF THE OPEN SOURCE DUE DILIGENCE RESULTS POST- CLOSE THE ONES WHO EXECUTED THE OSDD HAVE THE BEST KNOWLEDGE
ACQUISITION INTEGRATION DEPENDING ON THE INTEGRATION SCENARIO • ACQUISITION INTEGRATION STARTS AFTER THE DEAL CLOSES • AT THE BEGINNING THE ACQUISITION INTEGRATION PEOPLE HAVE LIMITED KNOWLEDGE OF THE TARGET • PEOPLE WHO CONDUCTED THE OPEN SOURCE DUE DILIGENCE AND PRODUCED THE REPORTS AND REMEDIATION PLANS HAVE THE LATEST INFORMATION • THINGS TO CONSIDER: • DO NOT THROW THE OPEN SOURCE DUE DILIGENCE REPORTS AND REMEDIATION PLANS OVER THE FENCE TO ACQUISITION INTEGRATION AND HOPE FOR THE BEST • A GOOD PRACTICE IS THAT PEOPLE WHO CONDUCTED THE OPEN SOURCE DUE DILIGENCE HELP THE ACQUISITION INTEGRATION AND BUSINESS UNIT AT LEAST AT THE BEGINNING OF THE INTEGRATION PHASE • OSDD SPECIALISTS TO PARTICIPATE IN THE FIRST INTEGRATION MEETINGS • SOMETIMES JUST 1-2 MEETINGS ARE NEEDED, SOMETIMES SEVERAL MEETINGS OVER THE MONTHS ARE NEEDED
ACQUISITION INTEGRATION OPEN SOURCE DUE DILIGENCE SPECIALISTS’ ROLE • GO THROUGH THE OPEN SOURCE DUE DILIGENCE AUDIT REPORT(S): • EXPLAIN THE ISSUES AND SUGGESTED REMEDIATION ACTIONS • ISSUES MAY BE IN OSS LICENSING, OSS VULNERABILITIES, PROCESSES, ETC. • ANSWER ANY QUESTIONS (BUSINESS UNIT, OSPO/BU LEGAL, ACQUISITION INTEGRATION) • NEW INFORMATION ACQUIRED • DURING THE FIRST WEEKS AND MONTHS OF INTEGRATION MORE INFO IS GATHERED • SOME REMEDIATION RECOMMENDATIONS NEED ADJUSTING OR POSSIBLY SOME ISSUES NO LONGER ARE ISSUES • OPEN SOURCE DD SPECIALIST CAN HELP THE ACQUISITION INTEGRATION TEAM AND BUSINESS UNIT • BUSINESS UNIT PLANS CHANGED? • IN CASE BU CHANGES THE PLANS POST-CLOSE → OPEN SOURCE ISSUES MAY BE DIFFERENT • E.G. SAAS SOLUTION → SHIPPED SOLUTION
WHAT IF FULL OPEN SOURCE DUE DILIGENCE CANNOT BE DONE PRIOR DEAL CLOSE? • NO TIME TO DO FULL OSDD PRIOR TO THE DEAL’S LEGAL CLOSE? • CONTINUE THE AUDIT POST-CLOSE • OPTIONS TO HAVE: • ESCROW • REPS/WARRANTIES • NOWADAYS MORE INSURERS IN THIS SPACE
SUMMARY
OPEN SOURCE DUE DILIGENCE PROCESS AN EXAMPLE OF HOW THE WHOLE PROCESS MAY LOOK LIKE Preparation •Questionnaire(s) ready •3rd party auditor selected •Information about the Target and its products •Publicly available info Start •Term-sheet agreed •OSDD starts OSDD kick-off call •Buyer •Target •3rd party auditor •Legal representatives Code audit •Open Source questionnaire(s) to Target •Request disclosure list (SBOM) •3rd party code audit starts Target’s response to initial questionnaire(s) •Answers to the questions •Disclosure list (SBOM) 3rd party code audit •A snippet-level audit will take some time •The auditor delivers the code audit report Code audit follow-up •Buyer – Auditor meeting •Additional questions based on the Audit report to the Target •(Meeting with Target) Target’s responses to the Additional questions •Questionnaire based on the Audit report Risk evaluation •Interim Report and Interim Remediation Plan •Inputs to Final Commit Final Commit •Normally Public announce follows Remediation planning •Final OSDD report(s) •Final Remediation Plan(s) Deal Legal Close •Target part of the Buyer now Due Diligence closure •Hand-off to Acquisition Integration Acquisition Integration •Open Source DD specialist consults Acquisition Integration •Issues remediated •Target integrated into the Buyer’s organization
SUMMARY • OPEN SOURCE DUE DILIGENCE VERY IMPORTANT FOR M&A • PREPARE ALL QUESTIONNAIRES AND SELECT 3RD PARTY AUDITOR WELL IN ADVANCE • TWO MAIN TRACKS IN OSDD: 1. QUESTIONNAIRE(S) AND MEETINGS 2. SOURCE CODE AUDIT (BY 3RD PARTY AUDITOR) • OPEN SOURCE PRACTICES AND PROCESSES ANALYSIS • SOURCE CODE AUDIT: LICENSING AND SECURITY RISKS ANALYSIS • COST (TIME / MONEY) OF ISSUES REMEDIATION • PEOPLE WHO CONDUCTED OSDD TO PARTICIPATE IN ACQUISITION INTEGRATION • A MEETING OR TWO AND IF NEEDED FOR LONGER
Questions and answers
CONTACT INFO JARI KOIVISTO • jari.p.koivisto@iki.fi • https://www.linkedin.com/in/jarikoivisto/

More Related Content

PPTX
The Role of In-House & External Counsel in Managing Open Source Software
Flexera
 
PPTX
How to create a successful proof of concept
ETLSolutions
 
PDF
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
Paris Open Source Summit
 
PPTX
Manage Your Organization's Contract Risks Final
Fred Travis
 
PDF
Offshoring devlearn10
devlearn10
 
PDF
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
PPTX
Inonvate Finance_Membership and Regulatory Sandboxes_15Dec
InnFin
 
PPTX
Mindavation - Requirements Enoughness - when is enough enough?
Haydn Thomas
 
The Role of In-House & External Counsel in Managing Open Source Software
Flexera
 
How to create a successful proof of concept
ETLSolutions
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
Paris Open Source Summit
 
Manage Your Organization's Contract Risks Final
Fred Travis
 
Offshoring devlearn10
devlearn10
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
Inonvate Finance_Membership and Regulatory Sandboxes_15Dec
InnFin
 
Mindavation - Requirements Enoughness - when is enough enough?
Haydn Thomas
 

Similar to OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17 (20)

PDF
Project management
Anastasiia Isakii
 
PPTX
Requirement Elicitation Techniques/Methods
SUFYAN SATTAR
 
PPTX
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Black Duck by Synopsys
 
PDF
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
PPTX
Setting up an enterprise risk program
Joseph White MPA CPM
 
PPTX
6 steps
Lanshore
 
PPTX
Implementing Commission Systems - 6 step guide
Douglas Erb
 
PDF
Every process requires a tailor-made analysis approach
Process mining Evangelist
 
PDF
Construction Project Management
Rajat Nainwal
 
PPTX
'Using OpenChain as a framework for M&A transactions'
Shane Coughlan
 
PDF
Setting up an IP Framework for an organization
Raghuveer Subodha
 
PDF
ITAM US 2017 Audit Defense Plugging the Leaks
Martin Thompson
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
PPTX
SMM Basics 101
SignUp4
 
PDF
About Data From A Machine Learning Perspective
LEARN Project
 
PDF
How to Write an RFP
EPAY Systems
 
PDF
A Proven Software Development Process for the Non Technical Founder
Founders Workshop
 
PDF
It is Time to Switch Your Outsourcing Vendor
jerianasmith
 
PDF
Best Audit Practices: The Top 10 Auditing Mistakes Companies Make
SafetyChain Software
 
PDF
Executing the Project (1).pdf
AkshithKota
 
Project management
Anastasiia Isakii
 
Requirement Elicitation Techniques/Methods
SUFYAN SATTAR
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
Setting up an enterprise risk program
Joseph White MPA CPM
 
6 steps
Lanshore
 
Implementing Commission Systems - 6 step guide
Douglas Erb
 
Every process requires a tailor-made analysis approach
Process mining Evangelist
 
Construction Project Management
Rajat Nainwal
 
'Using OpenChain as a framework for M&A transactions'
Shane Coughlan
 
Setting up an IP Framework for an organization
Raghuveer Subodha
 
ITAM US 2017 Audit Defense Plugging the Leaks
Martin Thompson
 
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
SMM Basics 101
SignUp4
 
About Data From A Machine Learning Perspective
LEARN Project
 
How to Write an RFP
EPAY Systems
 
A Proven Software Development Process for the Non Technical Founder
Founders Workshop
 
It is Time to Switch Your Outsourcing Vendor
jerianasmith
 
Best Audit Practices: The Top 10 Auditing Mistakes Companies Make
SafetyChain Software
 
Executing the Project (1).pdf
AkshithKota
 
Ad

More from Shane Coughlan (20)

PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
PDF
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
PPTX
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PDF
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
PPTX
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
PPTX
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
PDF
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
PDF
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
PPTX
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
PPTX
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
PPTX
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
PDF
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
PDF
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
PPTX
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 
Ad

Recently uploaded (20)

PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
assetexplorer- product-overview - presentation
nonameist3434
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 

OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17

  • 1. OPEN SOURCE DILIGENCE: FROM RISK ASSESSMENT TO POST-CLOSE INTEGRATION JARI KOIVISTO 2024-06-17
  • 3. AGENDA 1 OPEN SOURCE DUE DILIGENCE (OSDD) • WHY IT IS IMPORTANT FOR M&A 2 OPEN SOURCE DUE DILIGENCE IN PRACTICE 3 OSDD SPECIALISTS’ ROLE AT POST-CLOSE 4 SUMMARY
  • 4. OPEN SOURCE DUE DILIGENCE WHAT IS OSDD AND WHY IT IS IMPORTANT FOR M&A
  • 5. OPEN SOURCE DUE DILIGENCE IS IMPORTANT FOR TECH M&A SOFTWARE DEVELOPMENT AND RISK TODAY • TODAY ALMOST 80% OF CODE BASES ARE OPEN SOURCE SOFTWARE, SEE SYNOPSYS' 2024 OPEN SOURCE RISK IN M&A BY THE NUMBERS REPORT FOR DETAILS • MANY POTENTIAL TARGET COMPANIES DO NOT MANAGE OSS WELL → UNKNOWN RISKS IN M&A • OPEN SOURCE DISCLOSURE LISTS THAT TARGETS PROVIDE ARE NORMALLY FAR FROM COMPLETE • ALL OPEN SOURCE CODE HAS POTENTIAL LICENSING AND CYBER SECURITY RISKS • LICENSING RISK: TARGET’S IP MAY BE AT RISK – ONCE INTEGRATED EVEN THE BUYER’S IP MAY BE AT RISK • CYBER SECURITY RISK: DATA BREACHES CAN BE VERY EXPENSIVE Source: 2024 Open Source Risk in M&A by the Numbers
  • 6. OPEN SOURCE DUE DILIGENCE IS IMPORTANT FOR TECH M&A INFORMS THE DEAL AND FUTURE PLANS • IDENTIFY IF THERE ARE ANY MAJOR SURPRISES • HOWEVER, IT IS LESS ABOUT KILLING THE DEALS – BUT THAT CAN HAPPEN TOO, IF RISKS AND/OR MITIGATION COSTS ARE TOO HIGH • MANY CRITICAL/MAJOR ISSUES MAY ALSO AFFECT DEAL TERMS AND EVEN VALUATION • ESTIMATE HOW MUCH TIME AND MONEY IS NEEDED TO MITIGATE ISSUES AND INTEGRATE • HIGH CRITICALITY RISKS ARE OFTEN MITIGATED BEFORE THE DEAL CLOSES
  • 7. Licensing risks •OSS Licenses have obligations that one needs to fulfill •Even permissive licenses •Components without license •E.g. Target: “We did not find any license, so we assumed that the code was public domain.” Security risks •Are there known vulnerabilities (CVEs) •According to 2024 Open Source Risk in M&A by the Numbers: • 97% of transactions contained at least one vulnerability, mean 439 vulnerabilities per transaction •94% of transactions involve code with high-risk vulnerabilities •Exploitable or not? •E.g. vulnerable only if used in 32-bit platform and Target only uses 64-bit platforms •Does Target have processes to identify and remediate security issues? Buyer to know what they are buying •Without a good Open Source DD, Buyer may spend millions/billions on something that they need to open source •E.g. OpenWrt •Is the price correct? Buyer to understand what it takes to mitigate issues •Validating Roadmap •High-risk issues → closing conditions •E.g. embedded copyleft code Open Source Due Diligence for M&A Identifying Issues Confirming Value Planning
  • 8. OPEN SOURCE DUE DILIGENCE IN PRACTICE A TESTED PROCESS OF HOW TO EXECUTE OSDD FOR M&A
  • 9. OPEN SOURCE DUE DILIGENCE EXECUTION APPROACHES • The goal is to find out how and how well OSS component use is managed Questionnaires and meetings • The goal is to get an understanding of the risk level • Licensing risk • Cyber security risk • Verify how effective the OSS management is • Target may have an excellent OSS Policy and training on paper, but if not put into use, those have no value • Are the codebase findings in line with the questionnaire answers? Source code audit
  • 10. PREPARE BEFORE THE ACTUAL DUE DILIGENCE WORK STARTS SUCCESSFUL DD REQUIRES GOOD PREPARATION • EARLY ENOUGH: • PREPARE QUESTIONNAIRE(S) AND CHECKLIST(S) • SELECT THE 3RD PARTY AUDITOR, AGREE ON BUSINESS TERMS • AGREE ON WHO IS THE CONTACT POINT FOR THE TARGET • TARGET PERSONNEL WILL BE VERY BUSY AND HAVING A SINGLE PERSON CONTACT MAKES THEIR LIFE EASIER • ONCE THE TARGET IS KNOWN: • STUDY TARGET’S OFFERING • BUSINESS UNIT’S PLANS
  • 11. OPEN SOURCE DUE DILIGENCE TIMELINE Scoping Planning and Priority Negotiate Open Source Due Diligence will take time. Agree on what products and versions need to be audited. Review issues, prioritize and create remediation plans. Some high-priority issues remediated normally pre-close. Be prepared to negotiate. Buyer to reassess deal terms.
  • 12. OPEN SOURCE DUE DILIGENCE PROCESS OBSERVATIONS • BUYER WANTS TO UNDERSTAND TARGET’S: • OPEN SOURCE POLICIES AND PROCESSES • TRADITIONALLY OPEN SOURCE LICENSE COMPLIANCE WAS THE MAIN FOCUS • TODAY ADDITIONAL FOCUS ON OPEN SOURCE MANAGEMENT PROCESSES AND OPEN SOURCE VULNERABILITIES • BUYER DOES NOT HAVE ACCESS TO THE SOURCE CODE • BUYER DOES NOT WANT TO SEE THE SOURCE CODE • TARGET DOES NOT WANT TO SHARE THEIR SOURCE CODE • IN THE END OPEN SOURCE DUE DILIGENCE PRODUCES • OPEN SOURCE RISK REPORT • MITIGATION PLAN, WHICH INCLUDES ESTIMATES OF COST (TIME / MONEY) 3rd party auditor often the answer
  • 13. OPEN SOURCE POLICIES AND PROCESSES BUYER TO EXAMINE THE QUALITY OF TARGET’S OPEN SOURCE POLICIES AND PROCESSES • NORMALLY NOT MUCH TIME → THE QUICKEST WAY IS TO USE A QUESTIONNAIRE AND A MEETING WITH TARGET • BUYER SHOULD ALSO REQUEST A DISCLOSURE LIST (SBOM) OF ALL 3RD PARTY COMPONENTS • GOOD INDICATOR OF TARGET’S PROCESSES • E.G. ONCE THE DISCLOSURE LIST HAD 7 ITEMS AND THE CODE BASE WAS PRETTY LARGE AND THE CODE AUDIT FOUND AT LEAST HUNDREDS OF COMPONENTS AND SNIPPETS • TIPS: • KEEP THE QUESTIONNAIRE AS SHORT AS POSSIBLE, BUT INCLUDE ALL RELEVANT AND IMPORTANT QUESTIONS • THERE ARE PUBLICLY AVAILABLE CHECKLISTS THAT CAN BE USED AS A STARTING POINT FOR THE QUESTIONNAIRE(S) • SEND THE QUESTIONNAIRE TO TARGET AS SOON AS POSSIBLE AND GIVE THEM A COUPLE OF DAYS TO ANSWER
  • 14. WHAT SHOULD BE EXPLORED BASED ON THE QUESTIONNAIRE(S) AND MEETINGS WITH TARGET • DOES TARGET HAVE A WRITTEN OPEN SOURCE POLICY? • IF YES, HOW IT COMPARES TO BUYER’S OPEN SOURCE POLICY • POLICIES AND PROCESSES FOR OSS USE AND CONTRIBUTING BACK TO THE OSS PROJECTS • DOES TARGET HAVE AN OPEN SOURCE COMPLIANCE PROGRAM, OSPO, OSRB? • POLICIES AND PROCESSES HANDLING KNOWN VULNERABILITIES (CVES) • POLICIES AND PROCESSES FOR OUT-OF-SUPPORT OR DEPRECATED OSS COMPONENTS • WHAT TOOLS TARGET USES • SCA, SBOMS MANAGEMENT, VULNERABILITIES MANAGEMENT • OPENCHAIN CERTIFIED? • ISO 5230 CONFORMANT? AND/OR ISO 18974 CONFORMANT?
  • 15. SOURCE CODE AUDIT USING 3RD PARTY AUDITOR • TYPICALLY TARGET’S SOURCE CODES DELIVERED TO THE AUDITOR • AUDITOR CAN ALSO GO TO TARGET’S SITE OR HAVE A PROXY LAPTOP THERE • SNIPPET-LEVEL AUDIT RECOMMENDED • COPYLEFT SNIPPETS IN TARGET’S IP • E.G. CC-BY-SA SNIPPETS FROM STACKOVERFLOW VERY COMMON • GPL AND OTHER COPYLEFT SNIPPETS ALSO POSSIBLE • AI-GENERATED CODE SNIPPETS NEED TO BE PROPERLY HANDLED TOO • COPYRIGHTS, ATTRIBUTIONS, LICENSE TEXTS? • COPYLEFT? * Snippet level scan & audit recommended Start Term-sheet Kick-off call Project start, introduce 3rd party auditor and Target, details of the audit. Target delivers the code to the auditor Typically auditor sets up a secure server for Target to upload the source code. The auditor executes the audit Machine scan on the code base. Identify the origin and licenses of Open Source components and snippets*. Identify also components and snippets* without any license. Audit report delivery The auditor delivers the report(s) to the buyer, the report includes the SBOM and a summary of the findings. Known vulnerabilities report may also be part of the delivery. Final meeting The auditor presents the findings of the audit and addresses any additional questions. End
  • 16. EXPECTATIONS START-UP (TYPICAL TARGET): • MAY NOT HAVE WRITTEN OPEN SOURCE POLICY, BUT LIKELY HAVE PROCESSES TO ACCEPT/REJECT OPEN SOURCE COMPONENTS, E.G. ASK THE CTO • MAYBE A CODE SCAN BEFORE THE DUE DILIGENCE AS PART OF THE PREPARATION, BUT OFTEN SCANS ARE NOT PART OF THE WORKFLOW • AUDIT FINDINGS: • A LOT OF FINDINGS, BUT MOSTLY PERMISSIVE LICENSES • ALSO CC-BY-SA LICENSED SNIPPETS • CVES, (OUTDATED COMPONENTS) MATURE COMPANY: • OPEN SOURCE POLICY AND PROCESSES IN PLACE • LICENSE COMPLIANCE IS TAKEN CARE OF, SOME MAY EVEN HAVE A VIRTUAL OSPO OR OSPO • AUDIT FINDINGS: • ALWAYS SOMETHING → TARGET OFTEN PRO- ACTIVELY REMEDIATES • CC-BY-SA LICENSED SNIPPETS • CVES, OUTDATED COMPONENTS
  • 17. OPEN SOURCE DUE DILIGENCE PRODUCES REPORTS AND REMEDIATION PLANS • OSS LICENSE COMPLIANCE ISSUES REPORT • OSS SECURITY ISSUES REPORT • POSSIBLY PART OF THE OVERALL SECURITY DUE DILIGENCE AUDIT REPORT • REMEDIATION PLAN(S) • HOW TO REMEDIATE OSS LICENSE COMPLIANCE ISSUES • HOW TO REMEDIATE CURRENT OSS KNOWN VULNERABILITIES • PROCESSES IMPROVEMENT PLANS • TARGET OSS TRAINING PLANS • ISSUES REMEDIATION PLANNING: TARGET KNOWS THE CODE THE BEST → KEEP THEM IN THE LOOP AND ASK FOR SUGGESTIONS AND TIMELINES Remove Replace Rewrite Renew Relicense Respect
  • 18. TAKING ADVANTAGE OF THE OPEN SOURCE DUE DILIGENCE RESULTS POST- CLOSE THE ONES WHO EXECUTED THE OSDD HAVE THE BEST KNOWLEDGE
  • 19. ACQUISITION INTEGRATION DEPENDING ON THE INTEGRATION SCENARIO • ACQUISITION INTEGRATION STARTS AFTER THE DEAL CLOSES • AT THE BEGINNING THE ACQUISITION INTEGRATION PEOPLE HAVE LIMITED KNOWLEDGE OF THE TARGET • PEOPLE WHO CONDUCTED THE OPEN SOURCE DUE DILIGENCE AND PRODUCED THE REPORTS AND REMEDIATION PLANS HAVE THE LATEST INFORMATION • THINGS TO CONSIDER: • DO NOT THROW THE OPEN SOURCE DUE DILIGENCE REPORTS AND REMEDIATION PLANS OVER THE FENCE TO ACQUISITION INTEGRATION AND HOPE FOR THE BEST • A GOOD PRACTICE IS THAT PEOPLE WHO CONDUCTED THE OPEN SOURCE DUE DILIGENCE HELP THE ACQUISITION INTEGRATION AND BUSINESS UNIT AT LEAST AT THE BEGINNING OF THE INTEGRATION PHASE • OSDD SPECIALISTS TO PARTICIPATE IN THE FIRST INTEGRATION MEETINGS • SOMETIMES JUST 1-2 MEETINGS ARE NEEDED, SOMETIMES SEVERAL MEETINGS OVER THE MONTHS ARE NEEDED
  • 20. ACQUISITION INTEGRATION OPEN SOURCE DUE DILIGENCE SPECIALISTS’ ROLE • GO THROUGH THE OPEN SOURCE DUE DILIGENCE AUDIT REPORT(S): • EXPLAIN THE ISSUES AND SUGGESTED REMEDIATION ACTIONS • ISSUES MAY BE IN OSS LICENSING, OSS VULNERABILITIES, PROCESSES, ETC. • ANSWER ANY QUESTIONS (BUSINESS UNIT, OSPO/BU LEGAL, ACQUISITION INTEGRATION) • NEW INFORMATION ACQUIRED • DURING THE FIRST WEEKS AND MONTHS OF INTEGRATION MORE INFO IS GATHERED • SOME REMEDIATION RECOMMENDATIONS NEED ADJUSTING OR POSSIBLY SOME ISSUES NO LONGER ARE ISSUES • OPEN SOURCE DD SPECIALIST CAN HELP THE ACQUISITION INTEGRATION TEAM AND BUSINESS UNIT • BUSINESS UNIT PLANS CHANGED? • IN CASE BU CHANGES THE PLANS POST-CLOSE → OPEN SOURCE ISSUES MAY BE DIFFERENT • E.G. SAAS SOLUTION → SHIPPED SOLUTION
  • 21. WHAT IF FULL OPEN SOURCE DUE DILIGENCE CANNOT BE DONE PRIOR DEAL CLOSE? • NO TIME TO DO FULL OSDD PRIOR TO THE DEAL’S LEGAL CLOSE? • CONTINUE THE AUDIT POST-CLOSE • OPTIONS TO HAVE: • ESCROW • REPS/WARRANTIES • NOWADAYS MORE INSURERS IN THIS SPACE
  • 23. OPEN SOURCE DUE DILIGENCE PROCESS AN EXAMPLE OF HOW THE WHOLE PROCESS MAY LOOK LIKE Preparation •Questionnaire(s) ready •3rd party auditor selected •Information about the Target and its products •Publicly available info Start •Term-sheet agreed •OSDD starts OSDD kick-off call •Buyer •Target •3rd party auditor •Legal representatives Code audit •Open Source questionnaire(s) to Target •Request disclosure list (SBOM) •3rd party code audit starts Target’s response to initial questionnaire(s) •Answers to the questions •Disclosure list (SBOM) 3rd party code audit •A snippet-level audit will take some time •The auditor delivers the code audit report Code audit follow-up •Buyer – Auditor meeting •Additional questions based on the Audit report to the Target •(Meeting with Target) Target’s responses to the Additional questions •Questionnaire based on the Audit report Risk evaluation •Interim Report and Interim Remediation Plan •Inputs to Final Commit Final Commit •Normally Public announce follows Remediation planning •Final OSDD report(s) •Final Remediation Plan(s) Deal Legal Close •Target part of the Buyer now Due Diligence closure •Hand-off to Acquisition Integration Acquisition Integration •Open Source DD specialist consults Acquisition Integration •Issues remediated •Target integrated into the Buyer’s organization
  • 24. SUMMARY • OPEN SOURCE DUE DILIGENCE VERY IMPORTANT FOR M&A • PREPARE ALL QUESTIONNAIRES AND SELECT 3RD PARTY AUDITOR WELL IN ADVANCE • TWO MAIN TRACKS IN OSDD: 1. QUESTIONNAIRE(S) AND MEETINGS 2. SOURCE CODE AUDIT (BY 3RD PARTY AUDITOR) • OPEN SOURCE PRACTICES AND PROCESSES ANALYSIS • SOURCE CODE AUDIT: LICENSING AND SECURITY RISKS ANALYSIS • COST (TIME / MONEY) OF ISSUES REMEDIATION • PEOPLE WHO CONDUCTED OSDD TO PARTICIPATE IN ACQUISITION INTEGRATION • A MEETING OR TWO AND IF NEEDED FOR LONGER
  • 26. CONTACT INFO JARI KOIVISTO • jari.p.koivisto@iki.fi • https://www.linkedin.com/in/jarikoivisto/