Uncovering Risks of Open-Source Software: A Technical Approach to M&A Due Diligence (Part 2)

Jun 30, 2023 | Portfolio Governance Uncovering Risks of Open-Source Software: A Technical Approach to M&A Due Diligence (Part 2)

In this second of a two-part series from guest authors Tuyana Molokhoeva and William Luk of Quandary Peak, we look cybersecurity risk in OSS and how to perform tech due diligence. Read part one here.

Cybersecurity risks are a significant concern when it comes to OSS in M&A transactions. With most software products typically pulling in tens or even hundreds of OSS packages, it’s very easy to lose track of keeping up and updating vulnerable OSS packages.

One key risk is that OSS may contain security vulnerabilities that have been discovered and being actively exploited by attackers. These vulnerabilities can be found in any software, but OSS can be particularly vulnerable because it is often developed by a large and diverse community of contributors, and it’s not always possible to know who is involved in the development and any testing process. This can make it difficult to identify and address vulnerabilities in a timely manner.

In addition, OSS is often widely used and its source code is publicly available, making it an attractive target for attackers looking to exploit known vulnerabilities. If an OSS library is known to be used by “high value targets,” a sophisticated hacker could analyze the OSS source code to formulate a very specific exploit.

Another risk is that the OSS used by the target company may not be well-maintained or may not have been reviewed or tested for security vulnerabilities. This can expose the company to a range of cyber threats, such as data breaches, malware infections, trojan horse / backdoor planting, and other incidents that can result in significant harm to the company's reputation and bottom line.

Finally, M&A transactions can also lead to increased cybersecurity risks by introducing new technologies, systems, and people into the company's IT environment. The process of integrating the target company's software products / solutions and IT systems with those of the acquiring company can create new attack surfaces and opportunities for attackers to gain access to sensitive data and systems.

To mitigate these risks, companies should conduct thorough due diligence to identify any cybersecurity risks associated with the target company's use of OSS and take appropriate steps to manage and mitigate those risks. This can include implementing security controls to protect against known vulnerabilities, regularly reviewing the company's OSS inventory, and incorporating appropriate legal protections into the transaction documentation. Additionally, it's important to have a robust incident response plan in place and to ensure that the target company's IT environment is properly integrated and secured following the merger or acquisition.

How Are Risks Assessed in M&A Transactions?

  • Due Diligence
    Conducting a thorough due diligence review is an essential step in identifying and assessing OSS-related risks associated with a potential acquisition target.
  • Audits and Assessments
    OSS-related risks can also be assessed by conducting audits or assessments of the target company's use of OSS.
  • Legal Review
    A legal review of OSS-related licenses, agreements and other documents can be done to identify any potential risks or liabilities related to the target company's use of OSS.
  • Technical Review
    A technical review can be performed to identify any technical risks associated with the target company's use of OSS.

All these steps, when combined, can give a comprehensive understanding of the OSS usage and risks associated, allowing companies to make better-informed decisions and manage OSS-related risks more effectively.

What is the Role of Technical Due Diligence in Assessing and Mitigating OSS Related Risks?

Technical due diligence plays a critical role in assessing and mitigating OSS related risks in M&A transactions. Technical due diligence is the process of evaluating the technical aspects of the target company, including its IT infrastructure, software, and systems.

During the technical due diligence, a team of technical experts will review the target company's software inventory to identify any OSS used and any licenses and obligations associated with that software. This can also help to identify any security vulnerabilities, non-compliance issues, or other risks associated with the OSS, which can inform the overall risk assessment of the target company.

Additionally, technical due diligence can determine whether the target company can continue using the OSS after the merger or acquisition, if the company has the proper maintenance and support plan, and if any technical compatibility issues may arise from integrating the OSS into existing systems.

Another important aspect of technical due diligence for OSS related risks is evaluating the company's IT infrastructure and identifying any vulnerabilities or security risks associated with the OSS. This can include assessing the company's security controls and identifying any potential attack surfaces, as well as evaluating the company's incident response plan to ensure that it is robust and effective.

So what do you do?

The problem obtaining this technical due diligence intelligence you need? For many companies, the software they’re doing a deep dive on is a maze of technologies, millions of lines of code, and thousands of objects. At the same time, the technology due diligence time frame is very short and taking place under strict confidentiality. And even those who know the applications best don’t necessarily have all the knowledge. They may also have vested interests in portraying a view of the software being in good condition. How can you or your chosen advisory firm figure out its true condition, and the related OSS components software risks? Guesswork, interviews, traditional tools are only scratching the surface.

We at Quandary Peak take a different approach. We augment the subjective fact finding with machine-generated software intelligence that enables rapid and deep, ISO-based technology due diligence to lower M&A risks and accelerate value creation. More specifically, we leverage CAST software intelligence technology. It ‘understands’ the inner workings of complex software systems by taking all application artifacts and reverse-engineering the internal structures, while automatically providing insights about the software condition. It is the only technology fully applying ISO 5055, the standard for assessing structural integrity of software applications.

That allows for fact-based assessment of the software assets, including the OSS risks, within a matter of a week or two and without involving developers.

Overall, technical due diligence is an essential step in assessing and mitigating OSS-related risks in M&A transactions, providing companies with a comprehensive understanding of the target company's use of OSS and the associated risks, which is important to make informed decisions and to take appropriate steps to manage those risks.

In summary, it's important to assess OSS-related risks at various stages of the M&A transaction process and take appropriate action to mitigate them. Leveraging software intelligence can massively streamline the process. But when companies properly undertake this process, they can make better-informed decisions and effectively manage the risks associated with OSS usage, protecting the company's reputation, bottom-line, and business continuity.