For most software, systems, and service companies, value is based upon the success of their software technology. One glance at Elon Musk’s embattled bid for Twitter reveals an algorithmic and data nightmare – one that could possibly lower the acquisition price of the company! In the acquisition of any software company, the product is the software and the intellectual property encapsulated in it is key to its value. Therefore, the evaluation of software quality, and its built-in intellectual property, are critical to assessing the acquisition value of the company. But modern tools for evaluating software quality often require sellers to share their software code with third party evaluators. For reasons we will discuss below, this is neither optimal for the seller nor the buyer.

In this article we outline a method for successfully evaluating an M&A without sharing your software code with third parties.

It’s no secret that acquirers seek to reduce their total acquisition cost and sellers seek to increase it. But how? All interested, and wise, investors will conduct a technical due diligence (TDD). This is a comprehensive assessment of the quality of a company’s product architecture, code base, security, and the operating processes of its technology organization.

A thorough technical due diligence is necessary to gain insight into the source code of the software. The main goals of a technical due diligence are:

• confirmation of assumptions that support the deal,
• estimation of post-acquisition integration/maintenance,
• evaluation of a product’s support complexity and cost, and
• identification of major risks

Arguably, the last goal is the most important. Unidentified risks can prove costly to the acquiring company down the road. (Take the Yahoo acquisition, for example, which cost the acquirer $117.5 million in unforeseen data complications.)

The source code analysis is an integral part of a successful technical due diligence. Usually, the acquiring company requests source code access post-LOI. It is very common for the selling company to deny sharing of source code access before acquisition. This conflict is a major pain-point for the majority of software companies’ acquisitions.

A complete M&A review process addresses common concerns, including:

• time-sensitive deadlines,
• confidentiality,
• the lack of technical resources,
• the unwillingness of a legacy engineering team to disclose information,
• the complexity of extracting the critical information from various technical reports, and
• the “cone of silence” that often dominates the procedure.

The due diligence is handled by either an internal team or is outsourced to a third party. The selling company is requested to upload the code on a code analysis SaaS tool, or share the code zipped. This poses a significant risk for the company in the event of a withdrawal of the acquisition.

Due to the narrow timeframe, however, rarely, if ever, does the acquirer have time to review the code. A general assessment is based on the evolution of findings rather than the code review itself. So why can’t the company just share the findings instead of the source code? The common answer is that the company lacks the tools and the resources to analyze the source code and the time to compile the required reports.

The problem remains unsolved. If the company decides to outsource the code analysis to a third party, it must share the code again.

But is this the only way? Is it mandatory to share code access in order to complete an in-depth analysis? (1)

Isn’t there any affordable tool on the market today that simplifies the technical due diligence without requiring the sharing of the source code with a third party? (2)

It is likely that sharing code without a detailed disclosure agreement between the two parties may end up in legal conflict in the case of acquisition cancellation.Forbes lists the steps of a safe M&A process. Nevertheless, it is challenging and requires investment in the faithful application of this process. Cases like the disclaimer that the Delaware court in Abry Partners V, L.P. v. F&W Acquisition LLC deemed enforceable are raising concerns.

Before answering the above questions, let’s define the requirements for an effective and accurate technical due diligence of code:

• Simplified, yet comprehensive and indisputable, quality reports that facilitate the discussions and the M&A negotiations and which cover the needs of the involved stakeholders (business executives, engineering management, etc);
• A clear and complete bill of materials. Both sides should know exactly what is included in the code and all the external dependencies (i.e., a complete list of linked third party libraries (open source and commercial) and classification of the involved risk;
• A list of licenses (OS and commercial) for each linked library;
• A list of vulnerabilities and explanations;
• A list of major best programming practice violations (i.e., defects, duplications);
• Product architecture;
• A development team analysis;
• An easy Onboarding and Governance process; and
• A native CI/CD integration and ongoing remediation support for post-event integration.

Given this, is it possible to fulfill the aforementioned requirements for a successful M&A review without sharing the codebase?

Our answer is Yes! with the exception of architecture discovery. (And, because we don’t believe that the architecture of a product could be discovered by studying the code, this process is otherwise complete and thorough.)

So, then why does everybody ask for codebase sharing if the process could be complete without it? Because there are no tools, commercial or open source, designed to support the requirements of technical due diligence.

The software development market is fragmented by various software evaluation and license compliance tools that do not effectively resolve this particular M&A challenge. The leading product’s design is selling in two boats trying to compromise the needs of one software development and technical assessment.

• The key players (BlackDuck Hub, Whitesource, Sonarsource, Snyk, etc.) are designed mainly as SaaS products due to their common price model. Experienced professionals know well that all these products are priced considering the size of uploaded code and the number of users (arguably an effective business model for them considering that the code will be shared and uploaded to a supplier’s SaaS platform.)
• OS tools like sonarQube and Fossology are hard to install and use and next to impossible to export reports suitable for M&A rigorous processes.

A veil of mystery surrounding the due diligence process creates a misconception about the computing power and resources required to perform the process. Companies are led to believe that it could be executed only on super powerful cloud servers operated by a large team of experts. But none of this is correct. Companies have been discouraged to handle the process with their own resources and are persuaded to use expensive external professional services.

Moreover, most of these tools are designed to support the software development process (where the code is always available) without considering the unique requirements of the M&A’s technical due diligence.

The alternative: a complete technical due diligence solution that doesn’t require source code sharing

Unlike other products, c2m by CodeWeTrust is designed with all the needs of a modern, stressless M&A due diligence in mind. The product, the pricing, and business model have been formulated to support this need.

c2m is a fully dockerized solution that can be deployed on-premise and executed on any modern computer or cloud server. It is a complete solution leveraging AI methodology. c2m outperforms any existing product (BlackDuck, WhiteSource, SonarQube, Snyx) and is 100% repeatable and more reliable than professional service-based offerings.

Only c2m delivers:

• a complete technical due diligence in hours, not days (no code uploading required);
• a simple installation process on a local or cloud server (takes less than an hour);
• a fully automated experience that doesn’t require developers;
• auto-generated comprehensive Executive and Engineering Reports containing major risks and action items;
• package aging analysis that discovers discrepancies between the used version and newest one of each used library;
• complete web security analysis reports of vulnerabilities discovered scanning the code and those are registered on OS vulnerabilities libraries (REDHAT, GitHUB etc) for each linked library;
• detailed code quality;
• license compliance analysis;
• development team analysis (Top performers, average performance etc.); and
• integration with JIRA, github, gitlab, bitbucket and through its DB interface with commercial and open source BI tools.

c2m auto-generates all the reports, consolidating data from various sources. The information is organized in three levels of detail, serving:

• executives;
• engineering management; and
• developers.

The automated reports save days (and costs) of expensive PS services. The seamless integration with an CI/CD tool ensures the smooth post-acquisition handover to the engineering team.

c2m consists of two parts: the scanner and the business logic.

• The scanner is offered as freemium and can be used by any company or individual wanting to assess the code and prepare a uniformed technical due diligence report. The scanner also exports a locked file containing only the major findings and not any single line of code.
• The business logic module visualizes the findings and exports detailed reports that cover all the requirements of a rigorous due diligence process.

A company can run the scanner and share with the acquirer the finding file by executing the freemium version of c2m on a local computer or private cloud server. The seller compn cannot change (eliminate or revise) the findings.

The acquirer receives the encoded, password-protected binary file that contains the findings and then uses the licensed version of c2m to inspect the results and export the auto-generated, comprehensive, technical due diligence reports. The tool (c2m) supports consistency check

The complete process can take less than a day depending on the code base size and the used computation power.

Upon process completion the acquirer extracts auto-generated reports containing all the necessary information that supports a risk-free decision.

A better way for M&As

Although the source code availability facilitates the technical due diligence for the acquisition of a software company or software product, is not a prerequisite. Technical due diligence requirements can be fulfilled without sharing the codebase, using a tool designed from the ground up to support the rigorous M&A process. This approach preserves the intellectual property of the seller without compromising the quality and depth of a successful technical due diligence.