Open Source Software and the impact on Mergers & Acquisitions

© Black Duck 2013

Open Source Software and the

impact on Mergers & Acquisitions

2 © Black Duck 2013

Speakers

Russell Hartz

VP of Corporate

Development

SAP

Oliver Vivell

Senior Director of

Corporate Development

SAP

Matthew Jacobs

General Counsel

Black Duck

3 © Black Duck 2013

Today’s Agenda

•

Open Source Software (OSS) Trends

•

OSS in Mergers & Acquisitions

•

SAP’s Strategy & Perspective

•

Summary & Conclusion

4 © Black Duck 2013

The Global State of Open Source

“Software is Eating the World”

Marc Andreessen

“And Open Source is Driving the

Software World”

• 2.7 Billion Files

• 1M Projects

• 100B LoC

• 10M

person-years

Source: Black Duck Software

5 © Black Duck 2013

FOSS Community

THE ENTERPRISE

Your Software Application

Internally

Developed

Code

Commercial

3

_{Party Code}

Outsourced Code

Development

6 © Black Duck 2013

Company Benefit: Less is More

30%

80%

Average*

Best in class

“

Enable organizations and developers to use open source

technologies and methods to build software faster, better and

cheaper

.”

7 © Black Duck 2013

Real World Example

“Over 80% of the software in our handsets is open source”

8 © Black Duck 2013

What is OSS?

•

It’s third party software

•

No single “official” definition

Black Duck tracks over 2,200 unique license

Third-party

Software

9 © Black Duck 2013

The OSS License Continuum

Permissive

GPL

LGPL

MPL

X11/MIT

Apache

BSD

Strong

Copyleft

Permissive licenses

Restrictive

Weak Copyleft

8/27/20

13

9

© 2012 Black Duck Software, Inc. All Rights Reserved.

10 © Black Duck 2013

Other Interesting OSS Licenses

•

Beer-ware

•

Tofu

•

Fender Stratocaster

•

No-nuke

•

Chicken Dance

10

11 © Black Duck 2013

The Good News / Bad News

50% of companies will

face challenges due to

lack of FOSS policy and

management

30% of deployed code

is open source

12 © Black Duck 2013

Open Source in M&A: Why acquirers worry

•

Concerns

•

Inheriting problems

•

Delaying revenue while addressing

•

Most companies don’t know what’s

in their code…often times despite

believing they do

•

According to analysts, <50% of

companies even have open source

policies

•

What Black Duck sees in M&A

•

20% - 50% of code we scan is open

source

•

>90% of target code bases contain

undisclosed open source code

•

>50% of code bases contain unknown or

reciprocal licenses

13 © Black Duck 2013

Hierarchy of Tech M&A Issues (partial list)

•

Legal Issues

•

IP Issues

•

Copyright/Licensing

•

Open Source

•

Patents

•

Open Source

•

Export Control

•

Open Source

•

Technical Issues

•

Security

•

Open Source

•

Quality

•

Open Source

•

Supportability

•

Open Source

•

Etc.

14 © Black Duck 2013

Acquirer’s Need to Understand…

•

What open source components are in the target’s code?

Under what licenses? How they are used?

•

GPL

•

Fit with acquirer policies vis a vis usage

•

Obligations and how completely met

•

Extent of remediation required

•

How the target knows

•

Knowledge

•

Policy

•

Process

•

Approaches to assessing

•

Interviews/Inspection

•

Tools

•

Third-Party Services

15 © Black Duck 2013

Why Targets Need to Care



Deals get delayed for remediation



Valuation or financial terms change



Deals go south

He who sells what isn’t his’n,

Must buy it back or go to prison.

- Daniel Drew,

16 © Black Duck 2013

16

What’s a startup to do with respect to OSS?

•

No company is too small to need governance

•

Policy – Can be simple…red/yellow/green

•

Process – Czar, Catalog, Approval

•

Education – Developers are your firewall

•

Implementation

•

Define Policy/Process

•

Baseline

•

Education/Rollout

Russ Hartz, VP, SAP Corporate Development

Oliver Vivell, Sr. Director, SAP Corporate Development

August 27, 2013

Technical Due Diligence for M&A

© 2013 SAP AG. All rights reserved. INTERNAL 18 Powered by SAP HANA

Mobile

Analytics Database & Cloud

Technology Applications

SAP – Company Profile

•

Worldwide leader in enterprise applications* and third largest independent software

manufacturer **

•

More than 248,500 customers in 188 countries

•

More than 65,500 employees with locations in more than 130 countries

•

2012 Revenue = ~$21.3 billion | Market Capitalization = ~$90 billion

© 2013 SAP AG. All rights reserved. INTERNAL 21

SAP’s Experience with Evolution of Target’s Response to

Open Source Due Diligence

Why is SAP performing OS

diligence?

Open source due diligence

is expected

Past: Skepticism

Present: Industry Standard

Many questions about

process / NDA heavily

negotiated

Few process questions /

little negotiation of NDA

Require code scan to be

© 2013 SAP AG. All rights reserved. INTERNAL 22

Open Source Evaluation is a core process in SAP’s

technical M&A Due Diligence

Due Diligence ~1-2 Months

LOI SIGN CLOSE

Audit Integrate

Plan Integration Evaluate

Identify

SAP asks targets:

o Provide a list of all open source in use

o Do you have a policy

regarding open source use?

o Do you have a governance

process to monitor & control the use of open source in your products?

Following execution of a

non-binding term sheet,

SAP engages Black Duck

to scan the target’s code

for open source.

Scan results are

evaluated by SAP’s open

source licensing and legal

groups

Open source components

used in target’s products

evaluated and categorized

by risk

• Remediation of high risk open source

• Non-high risk components are managed in PMI

SAP may terminate a transaction evaluation due to the amount of open source found in the target’s code and/or the cost of remediating high risk components

© 2013 SAP AG. All rights reserved. INTERNAL 23

SAP’s approach to manage Open Source is a continuous

process along the integration

Open Source

management for acquired solutions is being

continued in PMI phase End-to-End support provided by designated Open Source Expert (Diligence into Integration)

Success of remediation

activities is being managed via internal open source rescans with Black Duck Protex and via “BlackDuck Code Center”  Supports e.g. license

compliance, Copyright notices, etc.

Integration into SAP’s standard open source process

4

5

6

Post Merger Integration / Development Operations

LOI SIGN CLOSE

Audit Integrate

Plan Integration Evaluate

© 2013 SAP AG. All rights reserved. INTERNAL 24

Summary

Open source is pervasive and ubiquitous

Checking for open source has become an industry best practice in M&A

involving software assets

Be Pro-active:

•

Run code scan to accurately identify the open source components

used in the your code

•

Create an explicit policy for using open source

25 © Black Duck 2013

Conclusion

•

Unmanaged use of open source can lead to:

•

Lost deals

•

Delayed deal

•

Reduced price/valuation

•

Lost revenue

•

There are many paths for unknown components to enter a

code base

•

It’s difficult to correct problems during an M&A transaction

•

OSS due diligence helps companies avoid the risks

•

Analyze contents using a comprehensive KnowledgeBase

26 © Black Duck 2013

+8

Years of

Experience

Black Duck Open Source Audit Services

•

Discover unknown open source

•

More thorough and accurate analysis

than manual audits

•

Identify encryption technologies that

can restrict the legal export of software

•

Identify security vulnerabilities that can

impact software asset value

Free quote: [email protected]

1,000’s

Audits

$40B+

27 © Black Duck 2013

Up Next?

•

5 Steps for a Winning Open Source Compliance

Program with Nuance Communications

Date: Thursday September 26th @ 11am ET

•

Learn :

•

Why OSS compliance should be a program, not a “tool”

•

How centralization of a program can improve the compliance

posture of your organization

•

What steps you need to take to build a successful OSS

compliance program, including how to obtain buy in from

upper management