Technical Due Diligence for M&A:

A Perspective from Corporate

Development at SAP
 Speakers

Peter Vescuso Russell Hartz Hal Hearst

EVP of Marketing & Corporate Sr. Director, Olliance

Business Development, Development, SAP Group
Black Duck Software
Agenda

 Market trends
 Why technical DD is needed
 M&A Issues
 How it works
– Code Scanning
– Analysis

 SAP: Perspective from a Major Acquirer

 Summary

Note: All registered participants will receive a follow-up email

with a copy of the slides and a link to the webinar recording.
Market Trends

 Open source is becoming pervasive and

ubiquitous
– It‟s in your phone, your HD TV, your printer, your web
browser, Google, Amazon, Twitter, etc.
– Gartner reports 85% of enterprises use OSS today

 Economics of OSS are compelling

 Virtually all IT organizations now use OSS; much is ad
hoc
 45% use is mission-critical

 Market Need – “Managing Abundance”

 < 30% of customers have any OSS Policies
 Need: address challenges of Multi-Source
development:
- Compliance/Management – IP, security, export
- Management/Automation – policy, process, multi-
source

451 Group Survey on OSS Use (December 2009)

• 87% of companies say OSS meets or exceeds cost savings expectations
• 39% of OSS users ranked flexibility as the primary benefit
 Why Technical DD is Needed: Many Paths for
Open Source to Get into a Code Base

Internally
Outsourced Code Developed
Development Cambridge Code

Commercial
3rd-Party Code San Mateo

Code
Open Source
Software
Bangalore
 Individuals Russia
 Universities
Your Software Application
 Corporate
Developers Obligations YOUR COMPANY – TOOLS, PROCESSES

“Open source is a necessary component of all organizations' supply chain

strategies. It is essentially a way to manage cost and mitigate 3rd party
dependencies.” Brian Prentice, Gartner Group

5
Why Technical DD is Needed: Issues

 Open Source Problems

– Open source issues arise in the development process and
software supply chain
– Discovery of open source post open source
representations
– Anonymous: Entire source code posted on SourceForge

 Risks
– Lose deal
– Delay deal
– Reduced price/valuation
– Lost revenue
Why Technical DD is Needed: Issues

 Use of open source is widespread (despite what your

CTO tells you)
– “A „don‟t ask, don‟t tell‟ pact obscures the reality of OSS use” (Jeffery
Hammond, Forrester Research,)

 Major acquirers and licensees are increasingly

sensitive to uncertainty in general and this issue in
particular (some have separate due diligence process
for open source)

 Difficult to correct problems during merger frenzy

 Delay may be deadly to the deal

Open Source Licenses

 Open source licenses give broad rights

– Copy, modify, redistribute
– Includes express or implied patent rights
– But also obligations, which are triggered on
distribution not on use

 Product Risks
– Uncertain "pedigree"
– "AS IS“
– Copy left nature of GPL & other licenses
Risks of Unmanaged Code

Loss of
Intellectual License
Property Rights and
Restrictions

Software
Export Defects
Regulations Injunctions

Contractual
Obligations

Security
Vulnerabilities
Escalating
Support
Costs
Software Licensing Violations

Software Freedom
Law Center
 Best Buy gpl-violations.org
 Cisco  Motorola Others
 Verizon  Acer
 Monsoon Multimedia  Jacobsen v Katzer
 Skype
 Xterasys  ASUS eeePC laptop
 D-Link
 High-Gain Antennas  Diebold
 BT
 Bell Microproducts
 Super Micro Computer

Valuation
Infringement
Remediation Costs
New revenue
Support costs
Vulnerability
Technology Allows Easy Discovery of
Unknown Open Source
Black Duck Analysis

 Compare code in target‟s code base against

comprehensive KB of open source components
 Generate a software Bill of Materials, identify license
obligations and conflict analysis

Code Base
Validation Server
Open
Source Report
Third
Party
Code
KnowledgeBase Bill of License
Internal Materials Conflict
Code Projects Licenses
The Black Duck KnowledgeBase:
Unmatched Depth & Breadth

 Comprehensive open source database

– Over 100 billion of lines of code – Representing 2,000 + unique licenses
– 550,000 + OSS projects, all versions – 50,000+ security vulnerabilities
– Over 5,060 sites – 550+ cryptographic algorithms

 Extensive metadata
– Name, description, versions, URL – Cryptography
– License, programming language, OS – Code prints of source/binary
– National Vulnerability Database – Customer-specific/contributed

• Addresses the “long tail” of OSS projects

• Continuously expanded
• Custom code printing to add your own code
• Daily security vulnerability alerts
• Automated metadata updates issued ~2x month
Code Prints

 Encoded representation of source code

– Black Duck KnowledgeBase represented by billions
of Code Prints
 Robust Code Detection
– Exact and fuzzy Code Print comparison
– Statistically-based, pattern-matching
 Extensible to Additional Code
– Add any code to local copy of KnowledgeBase
– Track / manage sensitive source code
 Confidential
– Source code and Code Prints remain local
 Code Prints impossible to reverse engineer
 Code Prints make it all possible
– Many TB of code can reside on a local server
– Efficiently searched to speed time-to-results
– Finds the origin of code even without an audit trail
Source Code Analysis

 Code matching
– Compare Code Prints of your source code to
the Black Duck KnowledgeBase
– Detects matches of components, files and
code fragments
 Finds reused code even when altered
 Reports project / license for confirmation
– Language independent
 Dependency analysis
– Import/include statements
 Integrated string search
– Standard string search queries
– Custom strings
– Find licenses, copyrights, URL‟s, company
names, user comments (“taken from”), …
 Analysis results that are unachievable by
a manual process
Binary Code Analysis

 File matching
– Compares checksum value to the
KnowledgeBase
 Libraries, class files, executables,
archives, images, and more.

 Dependency analysis
– Detect dependencies embedded in JAR,
CLASS, DLL, SO, etc, …

 Archives and Compressed Files

– Descends into archive files (zip, jar, tar,
war, …)
– Recursively performs source and binary -
analysis.
MD5
- Duck
The Black
KnowledgeBase
simplifies binary file
identification
License Analytics
 Over 2,000 open source and other licenses Speed license
– With full license text
reviews and make
 Licenses organized according to 24 attributes better choices,
– Rights and obligations to simplify license review
earlier in the
 Display of license conflicts development
 Automated approval process process
 Obligation fulfillment checklist
 Add custom licenses
Remediation

 Code Audit may reveal issues that

need remediation Conduct
Code Audit
 Remediation can be done…
– Pre-acquisition as a condition of the sale
– Post-acquisition as part of the integration

 Primary Concern during Due-Diligence Determine

Remediation
Phase Options
– Does the remediation impact valuation?
– What is cost & effort?
– Who should do it?
– When is it done? Remediate
– How much risk is Acquirer taking?

 Remediation options will depend upon

OSS detected (license)
What are the Remedies?

 Conform to the License

– Verify Compliance to License Obligations
 Check for File Modifications
 Confirm file level obligations are met
– Copyright statements retained
– Modification notices in place
– License Text in place
 Publish / distribute software if necessary
 Update documentation/splash screens if necessary
 And a host of others depending upon the license
– Implement Changes
– Typically done during Integration (post sale)

 Change Usage
– Some obligations depend upon usage scenario
– Re-architect so usage of component is less integrated
– Comply with more desirable license terms
What are the Remedies? - Cont.

 Remove Offending Code

– Black Duck Service can detect “Fossils”
– Verify code can be safely removed with no impact
– Typically forced on Sellers

 Replace Code
– Replace with other OSS
– Replace with Commercial Alternative
– Replace with In-house developed Code
 Need Clean Room Environment?
– Can be difficult if OSS component is critical
– Can be lengthy and expensive
SAP Profile

The SAP Solution Portfolio

Improves Business Insight

Drives Business Efficiency

Enables Flexibility & Innovation

Implement Major acquirer: 20+ acquisitions
Flexible Business
Processes since 2007 valued at >$13 billion
SAP Business Suite
SAP Solutions for SME Black Duck code scans in
SAP NetWeaver
15 closed deals since 2007
with total value >$7.5 billion

> 2,000 OS components

identified in target solutions
SAP’s Experience with Evolution of Target’s
Response to Open Source Due Diligence

Past: Skepticism Present: Industry Standard

Why is SAP
Open source due
performing OS
diligence is expected
diligence?

Many questions Few process

about process / NDA questions / little
heavily negotiated negotiation of NDA

Require code scan to Allow remote code

be performed on site scan
SAP – M&A Due Diligence on Open Source

 SAP asks targets (typically prior to signing a term

sheet):
– Provide a list of all open source in use
– Do you have a policy regarding open source use?
– Do you have a governance process to monitor & control
the use of open source in your products?
 Following execution of a non-binding term sheet, SAP
engages Black Duck to scan the target‟s code for open
source.
 Scan results are evaluated by SAP‟s open source
licensing and legal groups prior to finalizing
transaction
SAP M&A Open Source Evaluation Process

 Evaluate and categorize risk of open source

components used in target‟s products
– High risk components must be removed prior to SAP‟s
shipment of product post-closing
– Non-high risk components are dealt with following
closing as part of SAP‟s standard open source
governance process
 SAP may terminate a transaction evaluation due to the
amount of open source found in the target‟s code
and/or the cost of remediating high risk components
SAP Open Source Governance Process

Open source Architecture Legal &IP Applicant Management

request form Check Evaluation Briefing Approval

General License Modifications Special IP Evaluation

Evaluation Requirements
 Warranties /  Does the license  Required text for  Product‟s
liabilities allow for documentation characteristics
 Support offerings modifications?  Copyright notices  Contribution policy
 General license grant  What terms apply to  Distribution pre-  Companies
 Export restrictions modifications? requisites in general supporting and using
the open source
product
Summary

 Open source is pervasive and ubiquitous

 Checking for open source has become an
industry best practice in M&A involving
software assets
 Be Pro-active:
– Run code scan to accurately identify the open
source components used in the your code
– Create an explicit policy for using open source
– Regularly audit compliance (can be
automated)