48% of Code Bases Examined Contained High-Risk Vulnerabilities
Mergers and acquisitions are a time to tread carefully.
While all M&A teams review financials, sales projections, key personnel, etc., it is much less likely that the review includes examining the code base being acquired for vulnerabilities. That is probably not a good decision.
Synopsys sells a service to review software during mergers and acquisitions and they say that at least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined.
Proprietary means code that the company being acquired uses internally. Just because it is not sold does not mean that vulnerability doesn’t represent a risk. It could represent a different way for a hacker to break in, steal your data, inject ransomware and a hundred other attack vectors.
On top of this 48% of those code bases contained high-risk vulnerabilities. Their definition of high risk means:
- vulnerabilities that have been actively exploited
- Already have documented proof-of-concert exploits or
- Are classified as remote code execution attacks
The company produces a report with details, but you probably don’t really need the details.
Whether it is open source or closed source, vulnerabilities represent a risk that you are buying, along with the company.
This risk, unlike some risks, does not have an expiration date. As long as that code is still being used, it is a risk. We regularly see bugs in code that are 10 years, sometimes 20 years old before being discovered. Sometimes, they are discovered by the good folks, but more often, they are discovered by, well, the not so good ones.
We saw during the Yahoo/Verizon acquisition that Yahoo shareholders lost a half billion dollars in valuation due to vulnerabilities. This was disclosed just before the deal closed. Yahoo was forced to reduce the sale price by that much and Verizon shareholders dodged a bullet.
Which ever side of the deal you are on, you want to know what you are getting yourself in to. If you are selling, the last thing you want to have happen is for the buyer to analyze the code base and say, gee, we need to renegotiate the price or we are going to walk away. If you are the buyer, you don’t want to find out about the vulnerabilities after you close the deal.
If this is sets off alarm bells for you, please contact us.
Credit: CSO Online