M&A, trust in software and a good night’s sleep


Building trust in your software is important, but trust in the software is even more important in M&A transactions.

DevOps Connect: DevSecOps @ RSAC 2022

The Black Duck® audit team is part of the Synopsys Software Integrity group. And Synopsys is about trust. Synopsys’ mission is to help you build trust in your software.

There’s nothing better than a good night’s sleep. And with the importance of software to nearly every business today, concerns about software risks can negatively impact your sleep. An estimated 99% of good sleepers believe they won’t wake up when they learn of a breach, lawsuit or outage affecting the customer. Ok, that’s my estimate.

The elements of the Software Trust Triangle are

  1. License Compliance. The third-party components that constitute 78% of typical proprietary software need a license to use it?
  2. Application security. Is the software designed in a way to thwart clever hackers?
  3. Software quality. Is the code designed and written to be maintainable and run reliably?

Triangle 4x6_screen.png

Trust is the key to successful mergers and acquisitions

Like dating, the dance that precedes an M&A transaction is to establish mutual trust. And in a technology transaction, acquirers must fully trust the software they are onboarding because it embodies a large part of the value of the transaction. Beyond the weekends and nights of work required by an M&A deal, there are plenty of concerns to keep everyone awake at night.

A high degree of mutual trust must be established before due diligence begins, usually after months or more of engagement, as the due diligence process really ups the ante when it comes to engagements and information sharing. Both parties need to believe that the deal is moving forward to warrant such an important next step. Acquirers need to trust that there are no large skeletons in the target’s closet. The targets must be convinced that the acquirers are ready to close the transaction. Everyone needs to have some confidence that what they see is what they get.

Don’t forget to check

Due diligence is therefore the verification part of “trust but verify”. When entering the process of a technology agreement, software is one of the biggest unknowns. Even if trusted, vendors are reluctant to share details of their software, even during due diligence with the acquirer (often a potential competitor) if the deal fails. Many acquirers share a mutual concern: if the deal fails, they don’t want to be suspected or accused of appropriating the target’s trade secrets in code.

But assessing the software trust triangle (composition and licenses, software security and quality) requires analyzing the source code, the target’s most valuable asset. Acquirers are concerned about the risks in these areas. Since many acquisition targets lack adequate controls in their development processes, there are often software issues that need to be resolved. For example, the “Open source risk in mergers and acquisitions in numbersThe white paper found that 89% of transactions included open source components with license conflicts, and 97% contained known but unpatched security vulnerabilities.

The essential role of a trusted third party is to bridge the gap. It is important that the acquirer has confidence that the third party will provide a full triangle of trust analysis within the tight timelines of a typical due diligence effort (weeks, not months). But even more critical is the target’s confidence that the third party will protect their intellectual property and give them a fair share in the valuation.

Peace of mind with fast and comprehensive results

Industry Recognized Synopsys Black Duck Audits enable buyers and sellers of an M&A transaction to build confidence in software due diligence. While we don’t guarantee a good night’s sleep, we promise there will be less to keep you up at night. Trust us; we have this.

By the Numbers: Webinar on Open Source Risks in M&A |  Synopsis


Comments are closed.