Software Due Diligence in Five Steps

Thursday, June 17, 2021

Buyers and sellers of software assets often require thorough due diligence performed rapidly—as little as two weeks. Technical and business skills are both critical to conduct such evaluations. If the system and its interdependencies are highly complex, advanced automated software tools assist the review. Based on assessments conducted over 40 years, Princeton Consultants has established a methodology that blends management consulting and software development expertise, as seen in two recent cases.

In the first, a U.S. consortium of more than 100 TV stations was in the process of acquiring a media management and workflow orchestration software suite; leaders sought a prompt due diligence review to clarify the status and quality of the software. In the second, a startup social network, seeking to challenge Facebook, abruptly shut down. The board of directors terminated the management team and sought a rapid, high-level analysis and evaluation of the software assets—a mobile app, website, and microservices—and the engineering workmanship behind the application suite. The protection of the users’ Personally Identifiable Information (PII) was critical.

Software Due Diligence Methodology

1. Initial discovery.

For the broadcast consortium, the Princeton team interviewed the software suite’s key designers, including the application owner and chief architect, to understand its purpose, motivation, and output, and to identify the technology used and motivation for choosing that technology.

For the social network, the Princeton team interviewed Accounts Payable personnel and reviewed the system architecture to determine software vendors and spend, assessing which relationships to maintain and which to end during the asset sale. The team then accessed the platform to determine if the salable assets were still available, while simultaneously shutting down any services hosting customers’ private data. The initial analysis determined the repositories holding the system IP, as well as the extent and location of the PII data.

2. Code review.

The team reviewed the broadcast TV software application code as represented by three primary repositories, with confirmatory reviews of many of the additional repositories as well. It used a combination of automated scanning tools for standards compliance, coding errors and external library usage along with manual reviews to assess the level of security, modularization of software, and testability and testing coverage.

For the social network, the team examined virtual machine images and system documentation to find source code and configuration details. Because of the abruptness of the shutdown, before the review it was unknown in what languages the three software assets were written.

3. Documentation review.

The broadcast TV application’s documentation was reviewed for clear recording of the design and architecture. This review phase also assessed the ease of continuity: the developer setup instructions, including the list of tools and methodologies used; process and procedure definitions; and instructions for configuring development, integration, and production environments.

At the social network, the email accounts of the former sysadmin were reviewed, as well as for other key players from the development of the system. A wide variety of documents were reviewed in the search for documentation for the CI / CD processes.

4. Installation review.

The Princeton team identified the TV software methodology used and the degree of compliance with methodology best practices. It gained understanding of the granularity of work units and use of continuous integration and deployment tools. It evaluated the completeness of documentation of intended functionality, technical design, test process and success metrics.

The team logged into the social network’s software code repository and conducted an assessment to determine, first, if it contained the complete application. The team logged related accounts and products that were part of the stack, such as third-party API’s, SaaS vendors, and libraries that were part of the running application. The team searched for the correct licenses and contact information, as well as the user data storage location. The team assessed the encryption and located the encryption keys.

5. Architect interviews.

Princeton teams confirm findings through follow-up interviews. For the TV consortium, the software architect explained the decision-making behind technical and architectural choices. At the social network, additional personnel were consulted.

Results

Princeton Consultants found that the TV software suite is currently in a strong “start-up” position. Well-chosen, industry-leading software development languages, methodologies and tools have been employed. Much of the suite is modularized well, which allows efficient code sharing and improves maintainability. The consortium completed the acquisition of the software suite. Its software and cloud architecture will allow stations to leverage new interactive and addressable features to further enhance the service. Princeton Consultants provided an executive briefing and report to the board of the social network that included an inventory of the repositories holding the social network’s valuable intellectual property for potential sale, along with the documentation of the safe deletion of all PII.

To learn more, visit the Princeton Consultants software due diligence webpage.