Open-source software scan - something every M&A deal should include.
Updated: Sep 28
Open-source software has swallowed the world. According to Gartner, over 95% of enterprises across the globe use open-source software in their mission-critical applications, whether they are aware of it or not.
For all of the open-source software benefits (reduced costs, faster time to market & abundance), there are security and licensing-related risks that need sound management. Especially true if you are looking to acquire a business with all its assets and IP.
The vulnerability that cost $1.4 billion
Equifax, one of the largest credit reporting agencies in the US, was hacked by exploiting a vulnerability in Apache Struts, a popular open-source development framework for creating enterprise Java applications.
As a result, the personal data of 143 million US & 15 million UK citizens got compromised. An epic public relations horror story. Two years after the breach, the company said it had spent $1.4 billion on cleanup costs.
Value of open-source software scans
The open-source software scan is an automated scan providing an overview of licensing & security-related risks associated with a given codebase at a specific moment in time. It assesses the codebase's exposure to known security vulnerabilities and potential license usage conflicts.
As a result of such a scan, a detailed report of the current state should include at least the following:
License Inventory - list of all the open-source software components identified, associated licenses, and license risk scores.
Vulnerability Inventory - list of all components identified bearing vulnerabilities, including severity evaluation, suggested mitigation actions, and the locations of these components.
Library Location Inventory - a complete overview of all open-source components identified and their precise locations within the scanned codebase.
Intium's open-source software scan reports add value by narrowing focus on outlined items specifically pertinent to the investment objectives and providing specific recommendations and instructions on mitigating all identified risks, making it easy to create an action plan for addressing all qualified findings.
Beyond one-time scans
Over ten new vulnerabilities are discovered in the open-source software space and made public each day. So businesses need to have appropriate policies, processes, and tools to handle all the dependencies that make the open-source software work in the first place.
From an M&A perspective, this is where comprehensive due diligence can help - by also looking at how the IT organization navigates the complex world of open-source software.
TOP3 questions to ask:
Does the IT organization have a policy that defines how and what types of open-source software can be used?
How are vulnerabilities tracked, affected components patched, and results verified?
Has the organization implemented open-source scanning procedures in its CI/CD processes?
Intium is a technology due diligence and value creation services provider. We work with private equity investors, and portfolio and large companies helping assess software and tech-enabled M&A targets. We are revamping this business to be data-driven and software-powered! We help you with buy-side tech diligence, sell-side vendor due diligence, and value creation solutions.
For more information, contact us directly at firstname.lastname@example.org