The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection
  • English
  • 日本語

Software quality: Diligence prep for sellers

Chris Boyd

Jun 08, 2023 / 4 min read

Table of Contents

Due diligence for buyers

Every year, thousands of tech companies go through mergers and acquisitions (M&As), with transaction totals reaching billions of dollars. During an M&A transaction the stakes are at their highest, and acquirers must ensure that they are making a solid investment. As part of the process of making a fully informed decision, buyers perform due diligence to deeply assess and evaluate a target company’s financial, operations, legal, commercial, and software (where we come into play), before completing the transaction. The information gained helps validate investment assumptions and inform integration planning, and sometimes turns up surprises that may impact the terms or the deal.

Seller preparation

For sellers, getting ready for due diligence will maximize the financial position of a company as well as help it anticipate and mitigate any potential issues that might come to light during the process. How well-prepared a seller is heading into this process can make a substantial difference on exit timing and total value. Before getting acquired, future sellers can make the company attractive to buyers by preparing for an M&A event and heading off any red flags that might otherwise arise in due diligence and jeopardize a deal.

Bankers will often advise potential sellers on ways to maximize their valuation and prepare for the eventual transaction. They may encourage measures to increase sales and cut costs, and help the company develop a compelling story to communicate the company's position most effectively to interested investors. Bankers will also suggest organizing and consolidating key documents, financial statements, contracts, licenses, permits, and other relevant info that a potential buyer may require during due diligence to expedite the process.

Software risk for sellers

Before an acquisition, tech companies with significant software assets also need to be mindful that their software house is in order. This is an area where most bankers are less comfortable advising. As part of due diligence, a target company’s software development processes are open to scrutiny, and the acquirer might require a code audit to look for potential risks that could affect the deal and future integration plan. The Black Duck® audit team is quite familiar with the issues acquirers dig into as we are frequently the ones wielding the shovels. There are a few common risk areas we find in software due diligence. These include

  • Process and organization. Except in an asset-only deal, acquirers want to get a sense of how the company develops software and how well-organized it is. This provides a look at how effective future development will be. If the acquirer plans to integrate the team into a bigger development organization, it will be interested in the cultural fit and identify critical team members. If the plan is to build the team up, it will assess the scalability of the processes and the organization—determining, for example, whether a small team too dependent on one person. Savvy sellers benefit from in a fresh set of experienced eyes to look at their processes and team as a potential acquirer would.
  • Code concerns. Part of planning integration and validating the acquirer’s business plan involves identifying issues in the code that will need to be addressed going forward. The work required to address code problems is referred to as technical debt. Buyers understand that no software is perfect, but they will want to gauge how much of the future roadmap may be compromised to clean up the code. There are three areas where code concerns fall.
    • Open source and third-party code. Acquirers will want to understand how much and what kinds of open source components are being used in development. They are also interested in the license obligations of that code, and more importantly, whether the code is properly licensed. Some open source licenses are not compatible with commercial use, and improperly licensed code will need to be remediated. Other open source–related issues that can arise during due diligence are operational risks (i.e., are these components old or clunky and are they maintained by an active community) and security bugs (i.e., do these components have known vulnerabilities like the one that hackers exploited in the Equifax breach). Sellers looking for a smooth exit should have a firm understanding of their open source usage and extent of known vulnerabilities.
    • Security posture. Buyers will want to understand how secure the codebase is before they buy it, and if the assets they are about to buy were developed using security best practices. They will want to know how easily the code can be penetrated by bad actors, whose fire an announced acquisition often draws. Sellers with software or sensitive data should get insights into their security posture long before due diligence.
    • Code quality. A sophisticated tech acquirer will want to know how well the codebase is written, how scalable and maintainable the code is, and many other factors related to the overall quality of a codebase. They will want to know if the codebase they are about to invest in is a “hairball” or if it is well-structured and modular. Sellers should identify any potential issues that might come up in due diligence, and allow enough time to remediate in order to avoid any red flags and expedite the exit.

Quality of software

Quality of earnings (QoE) refers to an assessment of a company’s financial accuracy, sustainability, and overall financial health. It provides insights into the main factors that contribute to a company’s earnings and the reliability of those earnings. Many bankers strongly recommend that potential sellers bring in a third party to assess the target’s QoE to give potential buyers comfort with the seller’s financials. Ideally, this assessment is performed well in advance of any serious discussion. One banker recently disclosed, “We won’t touch any company that hasn’t performed a QoE.” In the world of tech, buyers want a similar understanding of the technical assets—the quality of software (QoS).

For a future tech deal, a prepared seller can provide similar comfort by bringing in a third party trusted by potential acquirers to evaluate the QoS along all the dimensions listed. Ideally, this occurs a year out to identify any significant issues early enough to address them well before a formal diligence process.

Smooth exits

With two decades of experience, the Black Duck audit group partners with our clients to share knowledge, insight, and expertise. We have worked with thousands of buyers to assess the quality of software of targets, and have a developed an understanding of what matters to them. Looking broadly over a prospective seller’s process and code well in advance of a deal, we can make recommendations for actions to achieve solid-quality software to help ensure a smooth software due diligence process.

Sellers that have their house in order typically achieve more successful exits.

Contact Black Duck Audits to learn more

Continue Reading

Once and future code snippets: How AI reignites risk

Once and future code snippets: How AI reignites risk

Phil Odence
By Phil Odence

Jul 24, 2024 / 3 min read

Tags: M&A, SCA, Secure the Software Supply Chain
Mergers and acquisitions insurance

Mergers and acquisitions insurance

Steven Power
By Steven Power

Jan 16, 2024 / 3 min read

Tags: M&A
Making intelligent tradeoffs in software due diligence

Making intelligent tradeoffs in software due diligence

Phil Odence
By Phil Odence

Dec 13, 2023 / 4 min read

Tags: M&A, SCA, Compliance, Manage Security Risks, OSS License Compliance
Audited vs. automated: What your automated open source tool isn't seeing

Audited vs. automated: What your automated open source tool isn't seeing

Susan Miller
Rich Kosinski
Don Mulrenan
By Susan Miller, Rich Kosinski, Don Mulrenan

Nov 21, 2023 / 5 min read

Tags: M&A, SCA, Build Security into DevOps, OSS License Compliance
SBOMs and SPDX: Now and in the future

SBOMs and SPDX: Now and in the future

Gary O’Neall
By Gary O’Neall

Oct 27, 2023 / 3 min read

Tags: M&A, Secure the Software Supply Chain, OSS License Compliance
The hidden business risks of technical debt in mergers and acquisitions

The hidden business risks of technical debt in mergers and acquisitions

Phil Odence
By Phil Odence

Oct 13, 2023 / 3 min read

Tags: M&A, Manage Security Risks, OSS License Compliance

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security
©2024 Black Duck Software, Inc. All Rights Reserved