SlideShare una empresa de Scribd logo

nexB: Software Audit for Acquisition Due Diligence

nexB Inc.
nexB Inc.

This document provides an overview of a software audit process conducted by nexB for acquisition due diligence. It discusses nexB's experience and services, common license violation risks found in audits, the audit process including preparation, analysis, review and reporting, tools used, reasons to choose nexB, and lessons learned from past acquisitions.

Tecnología
1 de 22
Descargar para leer sin conexión
nexB - Software Audit for 
 Acquisition Due Diligence © 2014 nexB Inc.
© 2014 nexB Inc. Agenda •  About nexB –  What nexB does –  Our experience •  Software Audit: M&A –  License Violation Risks & Recent Audit Issues –  Software Audit Process –  Software Audit Tools •  Additional Information –  Why nexB? –  Contact us –  Lessons Learned
© 2014 nexB Inc. What nexB does •  Enable component-based software development –  Software provenance analysis services –  Software asset management tools •  Software audit services –  Acquisitions –  Software product releases •  Active OSS developers •  Expertise in all software IP About nexB
© 2014 nexB Inc. Our experience is our difference •  Recognized by the buyers and target companies as: –  experts in software origin analysis –  a fair and trusted intermediary •  We identifies issues along with practical remediation steps •  350+ software audit projects completed to-date About nexB
© 2014 nexB Inc. License Violation Risks Software audit: M&A source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / 
 Shareware many Java
 libraries Microsoft 
 shared source Sun
 SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT Apache EPL Adobe 
 Reader
© 2014 nexB Inc. Recent Audit Issue Examples •  Dependency Issue “Workarounds” •  License violation Software audit: M&A
© 2014 nexB Inc. Emerging Audit Issue Examples •  Cloud computing and Dual Licensing •  Personal Devices and Application store markets Software audit: M&A
© 2014 nexB Inc. Software Audit Process Software audit: M&A
© 2014 nexB Inc. Software Analysis Scope Software audit: M&A Original Code Open Source Code Commercial Code
© 2014 nexB Inc. Software Analysis Deliverables •  Complete inventory of OSS and third-party components in Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for resolution that can be factored into the deal terms –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination” •  Checklist of commercial components as input to due diligence for contract review •  Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial) Software audit: M&A
© 2014 nexB Inc. Preparation – 1 week (1/2) •  Establish NDA with seller –  Two-way or three-way •  Scope audit effort –  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code •  Prepare/agree quote – always fixed fee, no surprises •  Schedule project Software audit: M&A
© 2014 nexB Inc. Preparation (2/2) è Many targets are anxious about the process –  General level of anxiety is inversely proportional to prior M&A experience of executives –  We do some hand holding to make them feel comfortable –  Assure seller that they review all findings first so no surprises –  Explain the process and tools to the seller Software audit: M&A
© 2014 nexB Inc. License & Origin Analysis – 2 weeks (1/2) Analysis Activities •  Scan files for license, copyright and other origin clues •  Match target code to reference code repository for origin and license detection (based on digital “fingerprints”) •  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code •  Analyze software interaction and dependency patterns for copyleft- licensed components as needed •  Additional domain-specific investigations typically for embedded devices and applications of media codecs Software audit: M&A
© 2014 nexB Inc. License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations Software audit: M&A
© 2014 nexB Inc. Review & Report – 1 week (1/2) Activities •  Draft findings review with product team –  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit –  Incorporate feedback and answers from product team into the Software BOM and Report –  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s. •  Complete final report –  Second review cycle with product team –  Release the report –  Conference call with buyer to present findings & answer questions Software audit: M&A
© 2014 nexB Inc. Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project data and summary of the Action items and Responses Software audit: M&A
© 2014 nexB Inc. Software Audit Tools •  nexB typically uses a combination of tools for a software audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open source or commercial) •  Multiple layers of analysis –  Direct scan for license and copyright notices –  Component matching for open source and publicly available third- party components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed •  Review and validation by software experts •  All require expert humans to interpret the results! Software audit: M&A
© 2014 nexB Inc. Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution and seller Responses Additional Information
© 2014 nexB Inc. Why nexB (2/2) •  Trusted third party –  Mitigates confidentiality concerns of a seller company –  Maintains proper segregation of information during acquisition negotiations –  Enables objective analysis with appropriate consideration of feedback from all parties Additional Information
© 2014 nexB Inc. Contact us Contact person: Pierre Lapointe, Customer Care Manager
 plapointe@nexb.com
 + 1 415 287-7643 More information: http://www.nexb.com/ Additional Information
© 2014 nexB Inc. Lessons Learned – Acquisitions (1/2) •  Schedule is always a major issue •  Initiate a software audit early because –  Seller company will probably not have done this before –  Negotiation of an NDA takes longer than you expect –  Negotiation of access to artifacts and people takes longer than you think •  The review of findings and recommendations may require several iterations with target company –  Get answers for open issues –  Get agreement about remediation strategies –  Get agreement that report is objective and reasonable Additional Information
© 2014 nexB Inc. Lessons Learned – Acquisitions (2/2) •  Identify the “crown jewels” and key platforms of the seller technology –  Concentrate the audit on the most important parts –  For products with multiple operating system versions, focus on the most important platforms •  Some issues can be specific to the open source policies of the Buyer –  For instance tolerance for certain version of open source licenses or proprietary Linux drivers varies among companies –  We apply Buyer company policies if available, –  Otherwise we apply “conservative” community standards –  Exceptional cases may require additional discussion with legal and and business teams to evaluate the risks Additional Information

Recomendados

Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EranexB Inc.
 

Recomendados

Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EranexB Inc.
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPArasan Chip Systems
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Software assessment and audit
Software assessment and auditSoftware assessment and audit
Software assessment and auditSpoorthi Sham
 
Electronic Data Interchange
Electronic Data InterchangeElectronic Data Interchange
Electronic Data InterchangeR.PRABHU R.RAJENDRAN
 

Más contenido relacionado

La actualidad más candente

IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPArasan Chip Systems
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 

La actualidad más candente (20)

IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startups
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product release
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS Introduction
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with Dejacode
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IP
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-Approval
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 

Destacado

Software assessment and audit
Software assessment and auditSoftware assessment and audit
Software assessment and auditSpoorthi Sham
 
Specialised audit
Specialised auditSpecialised audit
Specialised auditpreeti garg
 
Information Systems & IT Audit (BML303)
Information Systems & IT Audit (BML303)Information Systems & IT Audit (BML303)
Information Systems & IT Audit (BML303)San King
 
Software assessment by example (lecture at the University of Bern)
Software assessment by example (lecture at the University of Bern)Software assessment by example (lecture at the University of Bern)
Software assessment by example (lecture at the University of Bern)Tudor Girba
 
The humane software assessment (Choose Forum 2009)
The humane software assessment (Choose Forum 2009)The humane software assessment (Choose Forum 2009)
The humane software assessment (Choose Forum 2009)Tudor Girba
 
Edi 2Ecommerce data interchange
Edi 2Ecommerce data interchangeEdi 2Ecommerce data interchange
Edi 2Ecommerce data interchangeyugraj shukla
 
Software assessment essentials (lecture at the University of Bern 2013)
Software assessment essentials (lecture at the University of Bern 2013)Software assessment essentials (lecture at the University of Bern 2013)
Software assessment essentials (lecture at the University of Bern 2013)Tudor Girba
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
Assessing youragility
Assessing youragilityAssessing youragility
Assessing youragilityrseniv
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCodenexB Inc.
 
Electronic data interchange
Electronic data interchangeElectronic data interchange
Electronic data interchangeSH Musa
 
Lean, six sigma and lean six sigma
Lean, six sigma and lean six sigmaLean, six sigma and lean six sigma
Lean, six sigma and lean six sigmaSpoorthi Sham
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
Due Diligence - What You Don’t Find Out Will Hurt You
Due Diligence - What You Don’t Find Out Will Hurt YouDue Diligence - What You Don’t Find Out Will Hurt You
Due Diligence - What You Don’t Find Out Will Hurt YouNow Dentons
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligationsnexB Inc.
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Information system and control audit – lecture i
Information system and control audit – lecture iInformation system and control audit – lecture i
Information system and control audit – lecture iKartik T. Vayeda & Co.
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-softwarekzoe1996
 

Destacado (20)

Software assessment and audit
Software assessment and auditSoftware assessment and audit
Software assessment and audit
 
Electronic Data Interchange
Electronic Data InterchangeElectronic Data Interchange
Electronic Data Interchange
 
Specialised audit
Specialised auditSpecialised audit
Specialised audit
 
Information Systems & IT Audit (BML303)
Information Systems & IT Audit (BML303)Information Systems & IT Audit (BML303)
Information Systems & IT Audit (BML303)
 
Software assessment by example (lecture at the University of Bern)
Software assessment by example (lecture at the University of Bern)Software assessment by example (lecture at the University of Bern)
Software assessment by example (lecture at the University of Bern)
 
The humane software assessment (Choose Forum 2009)
The humane software assessment (Choose Forum 2009)The humane software assessment (Choose Forum 2009)
The humane software assessment (Choose Forum 2009)
 
Edi 2Ecommerce data interchange
Edi 2Ecommerce data interchangeEdi 2Ecommerce data interchange
Edi 2Ecommerce data interchange
 
E D I
E D IE D I
E D I
 
Software assessment essentials (lecture at the University of Bern 2013)
Software assessment essentials (lecture at the University of Bern 2013)Software assessment essentials (lecture at the University of Bern 2013)
Software assessment essentials (lecture at the University of Bern 2013)
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Assessing youragility
Assessing youragilityAssessing youragility
Assessing youragility
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
 
Electronic data interchange
Electronic data interchangeElectronic data interchange
Electronic data interchange
 
Lean, six sigma and lean six sigma
Lean, six sigma and lean six sigmaLean, six sigma and lean six sigma
Lean, six sigma and lean six sigma
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
Due Diligence - What You Don’t Find Out Will Hurt You
Due Diligence - What You Don’t Find Out Will Hurt YouDue Diligence - What You Don’t Find Out Will Hurt You
Due Diligence - What You Don’t Find Out Will Hurt You
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Information system and control audit – lecture i
Information system and control audit – lecture iInformation system and control audit – lecture i
Information system and control audit – lecture i
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
 

Similar a nexB: Software Audit for Acquisition Due Diligence

Agile Software Development
Agile Software DevelopmentAgile Software Development
Agile Software DevelopmentSynerzip
 
Synerzip Agile Software Development
Synerzip Agile Software DevelopmentSynerzip Agile Software Development
Synerzip Agile Software DevelopmentSynerzip
 
requirements analysis and design
requirements analysis and designrequirements analysis and design
requirements analysis and designPreeti Mishra
 
lecture_Analysis Phase.ppt
lecture_Analysis Phase.pptlecture_Analysis Phase.ppt
lecture_Analysis Phase.pptAteeqaKokab1
 
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjd
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjdlecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjd
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjdAqeelAbbas94
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principlessaurabhshertukde
 
Chapter 7 Development Strategies
Chapter 7 Development StrategiesChapter 7 Development Strategies
Chapter 7 Development StrategiesMeryl C
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Black Duck by Synopsys
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
1.4 Software Project Acquisition.pptx
1.4 Software Project Acquisition.pptx1.4 Software Project Acquisition.pptx
1.4 Software Project Acquisition.pptxSudarshanSharma43
 
How to Write an RFP
How to Write an RFPHow to Write an RFP
How to Write an RFPEPAY Systems
 
Requirements engineering process in software engineering
Requirements engineering process in software engineeringRequirements engineering process in software engineering
Requirements engineering process in software engineeringPreeti Mishra
 
Requirement Analysis
Requirement AnalysisRequirement Analysis
Requirement AnalysisSADEED AMEEN
 

Similar a nexB: Software Audit for Acquisition Due Diligence (20)

Agile Software Development
Agile Software DevelopmentAgile Software Development
Agile Software Development
 
Synerzip Agile Software Development
Synerzip Agile Software DevelopmentSynerzip Agile Software Development
Synerzip Agile Software Development
 
requirements analysis and design
requirements analysis and designrequirements analysis and design
requirements analysis and design
 
lecture_Analysis Phase.ppt
lecture_Analysis Phase.pptlecture_Analysis Phase.ppt
lecture_Analysis Phase.ppt
 
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjd
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjdlecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjd
lecture_5 (2).ppt hjhrrgjbgrmgrhbgrgghjd
 
Our approach
Our approachOur approach
Our approach
 
Rovi Apttus CPQ
Rovi Apttus CPQ Rovi Apttus CPQ
Rovi Apttus CPQ
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
 
Chapter 7 Development Strategies
Chapter 7 Development StrategiesChapter 7 Development Strategies
Chapter 7 Development Strategies
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
1.4 Software Project Acquisition.pptx
1.4 Software Project Acquisition.pptx1.4 Software Project Acquisition.pptx
1.4 Software Project Acquisition.pptx
 
Requirement engineering
Requirement engineeringRequirement engineering
Requirement engineering
 
How to Write an RFP
How to Write an RFPHow to Write an RFP
How to Write an RFP
 
Ravikumar_Resume
Ravikumar_ResumeRavikumar_Resume
Ravikumar_Resume
 
Agile 101
Agile 101Agile 101
Agile 101
 
Agile dashboard
Agile dashboardAgile dashboard
Agile dashboard
 
Requirements engineering process in software engineering
Requirements engineering process in software engineeringRequirements engineering process in software engineering
Requirements engineering process in software engineering
 
1.4 ContractAcceptance.pptx
1.4 ContractAcceptance.pptx1.4 ContractAcceptance.pptx
1.4 ContractAcceptance.pptx
 
Requirement Analysis
Requirement AnalysisRequirement Analysis
Requirement Analysis
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

nexB: Software Audit for Acquisition Due Diligence

  • 1. nexB - Software Audit for 
 Acquisition Due Diligence © 2014 nexB Inc.
  • 2. © 2014 nexB Inc. Agenda •  About nexB –  What nexB does –  Our experience •  Software Audit: M&A –  License Violation Risks & Recent Audit Issues –  Software Audit Process –  Software Audit Tools •  Additional Information –  Why nexB? –  Contact us –  Lessons Learned
  • 3. © 2014 nexB Inc. What nexB does •  Enable component-based software development –  Software provenance analysis services –  Software asset management tools •  Software audit services –  Acquisitions –  Software product releases •  Active OSS developers •  Expertise in all software IP About nexB
  • 4. © 2014 nexB Inc. Our experience is our difference •  Recognized by the buyers and target companies as: –  experts in software origin analysis –  a fair and trusted intermediary •  We identifies issues along with practical remediation steps •  350+ software audit projects completed to-date About nexB
  • 5. © 2014 nexB Inc. License Violation Risks Software audit: M&A source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / 
 Shareware many Java
 libraries Microsoft 
 shared source Sun
 SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT Apache EPL Adobe 
 Reader
  • 6. © 2014 nexB Inc. Recent Audit Issue Examples •  Dependency Issue “Workarounds” •  License violation Software audit: M&A
  • 7. © 2014 nexB Inc. Emerging Audit Issue Examples •  Cloud computing and Dual Licensing •  Personal Devices and Application store markets Software audit: M&A
  • 8. © 2014 nexB Inc. Software Audit Process Software audit: M&A
  • 9. © 2014 nexB Inc. Software Analysis Scope Software audit: M&A Original Code Open Source Code Commercial Code
  • 10. © 2014 nexB Inc. Software Analysis Deliverables •  Complete inventory of OSS and third-party components in Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for resolution that can be factored into the deal terms –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination” •  Checklist of commercial components as input to due diligence for contract review •  Analysis of how much code is original versus borrowed (OSS) or purchased (Commercial) Software audit: M&A
  • 11. © 2014 nexB Inc. Preparation – 1 week (1/2) •  Establish NDA with seller –  Two-way or three-way •  Scope audit effort –  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code •  Prepare/agree quote – always fixed fee, no surprises •  Schedule project Software audit: M&A
  • 12. © 2014 nexB Inc. Preparation (2/2) è Many targets are anxious about the process –  General level of anxiety is inversely proportional to prior M&A experience of executives –  We do some hand holding to make them feel comfortable –  Assure seller that they review all findings first so no surprises –  Explain the process and tools to the seller Software audit: M&A
  • 13. © 2014 nexB Inc. License & Origin Analysis – 2 weeks (1/2) Analysis Activities •  Scan files for license, copyright and other origin clues •  Match target code to reference code repository for origin and license detection (based on digital “fingerprints”) •  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code •  Analyze software interaction and dependency patterns for copyleft- licensed components as needed •  Additional domain-specific investigations typically for embedded devices and applications of media codecs Software audit: M&A
  • 14. © 2014 nexB Inc. License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations Software audit: M&A
  • 15. © 2014 nexB Inc. Review & Report – 1 week (1/2) Activities •  Draft findings review with product team –  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit –  Incorporate feedback and answers from product team into the Software BOM and Report –  We may “agree to disagree” – e.g. we then present two points of view: ours and the seller’s. •  Complete final report –  Second review cycle with product team –  Release the report –  Conference call with buyer to present findings & answer questions Software audit: M&A
  • 16. © 2014 nexB Inc. Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project data and summary of the Action items and Responses Software audit: M&A
  • 17. © 2014 nexB Inc. Software Audit Tools •  nexB typically uses a combination of tools for a software audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open source or commercial) •  Multiple layers of analysis –  Direct scan for license and copyright notices –  Component matching for open source and publicly available third- party components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed •  Review and validation by software experts •  All require expert humans to interpret the results! Software audit: M&A
  • 18. © 2014 nexB Inc. Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution and seller Responses Additional Information
  • 19. © 2014 nexB Inc. Why nexB (2/2) •  Trusted third party –  Mitigates confidentiality concerns of a seller company –  Maintains proper segregation of information during acquisition negotiations –  Enables objective analysis with appropriate consideration of feedback from all parties Additional Information
  • 20. © 2014 nexB Inc. Contact us Contact person: Pierre Lapointe, Customer Care Manager
 plapointe@nexb.com
 + 1 415 287-7643 More information: http://www.nexb.com/ Additional Information
  • 21. © 2014 nexB Inc. Lessons Learned – Acquisitions (1/2) •  Schedule is always a major issue •  Initiate a software audit early because –  Seller company will probably not have done this before –  Negotiation of an NDA takes longer than you expect –  Negotiation of access to artifacts and people takes longer than you think •  The review of findings and recommendations may require several iterations with target company –  Get answers for open issues –  Get agreement about remediation strategies –  Get agreement that report is objective and reasonable Additional Information
  • 22. © 2014 nexB Inc. Lessons Learned – Acquisitions (2/2) •  Identify the “crown jewels” and key platforms of the seller technology –  Concentrate the audit on the most important parts –  For products with multiple operating system versions, focus on the most important platforms •  Some issues can be specific to the open source policies of the Buyer –  For instance tolerance for certain version of open source licenses or proprietary Linux drivers varies among companies –  We apply Buyer company policies if available, –  Otherwise we apply “conservative” community standards –  Exceptional cases may require additional discussion with legal and and business teams to evaluate the risks Additional Information