Technical Due Diligence for M&A:

A Perspective from Corporate Development at SAP

Speakers

Peter Vescuso

EVP of Marketing & Business Development,

Black Duck Software

Hal Hearst

Sr. Director, Olliance Group

Russell Hartz

Corporate Development, SAP

Agenda

Market trends

Why technical DD is needed

M&A Issues

How it works– Code Scanning– Analysis

SAP: Perspective from a Major Acquirer

Summary

Note: All registered participants will receive a follow-up email with a copy of the slides and a link to the webinar recording.

Open source is becoming pervasive and ubiquitous– It’s in your phone, your HD TV, your printer, your web

browser, Google, Amazon, Twitter, etc.– Gartner reports 85% of enterprises use OSS today

Economics of OSS are compelling Virtually all IT organizations now use OSS; much is ad

hoc 45% use is mission-critical

Market Need – “Managing Abundance” < 30% of customers have any OSS Policies Need: address challenges of Multi-Source development:

- Compliance/Management – IP, security, export- Management/Automation – policy, process, multi-

source

451 Group Survey on OSS Use (December 2009)

• 87% of companies say OSS meets or exceeds cost savings expectations

• 39% of OSS users ranked flexibility as the primary benefit

Market Trends

Why Technical DD is Needed: Many Paths for Open Source to Get into a Code Base

YOUR COMPANY – TOOLS, PROCESSES

Your Software Application

Open Source Software

Internally Developed

Code

Outsourced Code Development

Commercial 3rd-Party Code

Individuals

Universities

Corporate Developers

Code

Obligations

“Open source is a necessary component of all organizations' supply chain strategies. It is essentially a way to manage cost and mitigate 3rd party dependencies.” Brian Prentice, Gartner Group

Cambridge

San Mateo

Russia

Bangalore

5

Why Technical DD is Needed: Issues

Open Source Problems– Open source issues arise in the development process and

software supply chain– Discovery of open source post open source

representations– Anonymous: Entire source code posted on SourceForge

Risks– Lose deal– Delay deal– Reduced price/valuation– Lost revenue

Why Technical DD is Needed: Issues

Use of open source is widespread (despite what your CTO tells you)– “A ‘don’t ask, don’t tell’ pact obscures the reality of OSS use” (Jeffery

Hammond, Forrester Research,)

Major acquirers and licensees are increasingly sensitive to uncertainty in general and this issue in particular (some have separate due diligence process for open source)

Difficult to correct problems during merger frenzy

Delay may be deadly to the deal

Open Source Licenses

Open source licenses give broad rights– Copy, modify, redistribute– Includes express or implied patent rights– But also obligations, which are triggered on

distribution not on use

Product Risks – Uncertain "pedigree"– "AS IS“– Copy left nature of GPL & other licenses

Risks of Unmanaged Code

Loss of Intellectual

Property

Export Regulations Injunctions

Security Vulnerabilities

Software Defects

License Rights and Restrictions

Contractual Obligations

Escalating Support Costs

Software Licensing Violations

Best Buy

Cisco

Verizon

Monsoon Multimedia

Xterasys

High-Gain Antennas

Bell Microproducts

Super Micro Computer

Software Freedom Law Center

Motorola

Acer

Skype

D-Link

BT

gpl-violations.org

Others

Jacobsen v Katzer

ASUS eeePC laptop

Diebold

Valuation

Infringement

Remediation Costs

New revenue

Support costs

Vulnerability

Compare code in target’s code base against comprehensive KB of open source components

Generate a software Bill of Materials, identify license obligations and conflict analysis

Validation Server

Projects Licenses

Open Source

Third Party Code

Internal Code

Black Duck Analysis

KnowledgeBase License Conflict

Bill ofMaterials

Code Base

Report

Technology Allows Easy Discovery of Unknown Open Source

The Black Duck KnowledgeBase:Unmatched Depth & Breadth

– Over 100 billion of lines of code– 550,000 + OSS projects, all versions– Over 5,060 sites

– Representing 2,000 + unique licenses– 50,000+ security vulnerabilities– 550+ cryptographic algorithms

Extensive metadata– Name, description, versions, URL– License, programming language, OS– National Vulnerability Database

– Cryptography– Code prints of source/binary– Customer-specific/contributed

Comprehensive open source database

• Addresses the “long tail” of OSS projects

• Continuously expanded

• Custom code printing to add your own code

• Daily security vulnerability alerts

• Automated metadata updates issued ~2x month

Code Prints

Encoded representation of source code– Black Duck KnowledgeBase represented by billions

of Code Prints

Robust Code Detection – Exact and fuzzy Code Print comparison – Statistically-based, pattern-matching

Extensible to Additional Code – Add any code to local copy of KnowledgeBase– Track / manage sensitive source code

Confidential– Source code and Code Prints remain local

Code Prints impossible to reverse engineer

Code Prints make it all possible– Many TB of code can reside on a local server– Efficiently searched to speed time-to-results– Finds the origin of code even without an audit trail

Code matching – Compare Code Prints of your source code to the

Black Duck KnowledgeBase– Detects matches of components, files and

code fragments Finds reused code even when altered Reports project / license for confirmation

– Language independent

Dependency analysis– Import/include statements

Integrated string search– Standard string search queries– Custom strings– Find licenses, copyrights, URL’s, company

names, user comments (“taken from”), …

Analysis results that are unachievable by a manual process

Source Code Analysis

File matching– Compares checksum value to the

KnowledgeBase Libraries, class files, executables,

archives, images, and more.

Dependency analysis– Detect dependencies embedded in JAR,

CLASS, DLL, SO, etc, …

Archives and Compressed Files– Descends into archive files (zip, jar, tar,

war, …)– Recursively performs source and binary

analysis. -MD5

-The Black Duck KnowledgeBase

simplifies binary file identification

Binary Code Analysis

Over 2,000 open source and other licenses– With full license text

Licenses organized according to 24 attributes– Rights and obligations to simplify license review

Display of license conflicts Automated approval process Obligation fulfillment checklist Add custom licenses

Speed license reviews and make

better choices, earlier in the development

process

License Analytics

Remediation

Code Audit may reveal issues that need remediation

Remediation can be done…– Pre-acquisition as a condition of the sale– Post-acquisition as part of the integration

Primary Concern during Due-Diligence Phase– Does the remediation impact valuation?– What is cost & effort?– Who should do it?– When is it done?– How much risk is Acquirer taking?

Remediation options will depend upon OSS detected (license)

Conduct Code Audit

Determine Remediation

Options

Remediate

What are the Remedies?

Conform to the License– Verify Compliance to License Obligations

Check for File Modifications Confirm file level obligations are met

– Copyright statements retained– Modification notices in place– License Text in place

Publish / distribute software if necessary Update documentation/splash screens if necessary And a host of others depending upon the license

– Implement Changes– Typically done during Integration (post sale)

Change Usage– Some obligations depend upon usage scenario– Re-architect so usage of component is less integrated– Comply with more desirable license terms

What are the Remedies? - Cont.

Remove Offending Code– Black Duck Service can detect “Fossils”– Verify code can be safely removed with no impact– Typically forced on Sellers

Replace Code– Replace with other OSS– Replace with Commercial Alternative– Replace with In-house developed Code

Need Clean Room Environment?– Can be difficult if OSS component is critical– Can be lengthy and expensive

SAP Profile

Implement Flexible Business Processes

SAP Business SuiteSAP Solutions for SME

SAP NetWeaver

The SAP Solution Portfolio

Improves Business Insight

Drives Business Efficiency

Enables Flexibility & Innovation

Major acquirer: 20+ acquisitions

since 2007 valued at >$13 billion

Black Duck code scans in

15 closed deals since 2007

with total value >$7.5 billion

> 2,000 OS components

identified in target solutions

SAP’s Experience with Evolution of Target’s Response to Open Source Due Diligence

Why is SAP performing OS

diligence?

Why is SAP performing OS

diligence?

Open source due diligence is expected

Open source due diligence is expected

Past: Skepticism Present: Industry Standard

Many questions about process / NDA heavily negotiated

Many questions about process / NDA heavily negotiated

Few process questions / little

negotiation of NDA

Few process questions / little

negotiation of NDA

Require code scan to be performed on siteRequire code scan to be performed on site

Allow remote code scan

Allow remote code scan

SAP – M&A Due Diligence on Open Source

SAP asks targets (typically prior to signing a term sheet):– Provide a list of all open source in use – Do you have a policy regarding open source use?– Do you have a governance process to monitor & control

the use of open source in your products?

Following execution of a non-binding term sheet, SAP engages Black Duck to scan the target’s code for open source.

Scan results are evaluated by SAP’s open source licensing and legal groups prior to finalizing transaction

SAP M&A Open Source Evaluation Process

Evaluate and categorize risk of open source components used in target’s products– High risk components must be removed prior to SAP’s

shipment of product post-closing – Non-high risk components are dealt with following closing

as part of SAP’s standard open source governance process

SAP may terminate a transaction evaluation due to the amount of open source found in the target’s code and/or the cost of remediating high risk components

SAP Open Source Governance Process

General License Evaluation

Open source request form

Architecture Check

Legal &IP Evaluation

Applicant Briefing

Management

Approval

Warranties / liabilities Support offerings General license grant Export restrictions

Modifications

Does the license allow for modifications?

What terms apply to modifications?

Special Requirements

Required text for documentation

Copyright notices Distribution pre-

requisites in general

IP Evaluation

Product’s characteristics

Contribution policy Companies

supporting and using the open source product

Summary

Open source is pervasive and ubiquitous

Checking for open source has become an industry best practice in M&A involving software assets

Be Pro-active:– Run code scan to accurately identify the open

source components used in the your code– Create an explicit policy for using open source– Regularly audit compliance (can be

automated)