The state of software in tech companies: Top three insights

Investing in a tech company is no small feat; it requires a deep understanding of the prospective company's strengths and weaknesses, notably their software assets. Herein lies the significance of technology due diligence; it’s not just a means of avoiding pitfalls, but a strategy to unlock latent value. Through focusing on three key pillars - cybersecurity, scalability/maintainability, and open-source software (OSS) risks - we can shed light on the current state of software in tech companies.

The imperative of proactive cybersecurity practices

With the escalating prevalence and sophistication of cyber threats, from data breaches to ransomware, cybersecurity forms the bedrock of any successful tech organization. The sheer volume of attacks - more than 10 attacks per second according to Forescout’s 2022 Threat Roundup Report – underscores the necessity of understanding the cyber health of an investment prospect [1].

In this context, a significant finding from our technology due diligence reviews is that many companies tend to take a reactive, rather than proactive, approach towards cybersecurity. Often, these companies only integrate cybersecurity measures after the development and deployment of their software products, primarily in the form of penetration testing, or ‘pen tests’. This approach, while seemingly thorough, can overlook the critical importance of integrating cybersecurity measures throughout the development lifecycle, potentially leaving the software vulnerable.

While pen testing is undoubtedly a valuable tool in a robust cybersecurity strategy, its use alone is inadequate. It only offers a snapshot of the system's vulnerabilities at a particular moment in time but does not account for the dynamic nature of cyber threats that continuously evolve. Furthermore, since pen tests are typically conducted post-deployment, they fail to address cybersecurity from an architectural or developmental perspective. This could lead to vulnerabilities being baked into the system that are difficult to rectify post-deployment.

A key tool in proactive cybersecurity is code scans. These scans meticulously comb through lines of code, revealing vulnerabilities not always apparent to human reviewers. For example, they can uncover issues such as insecure direct object references (IDORs), and unpatched versions of software vulnerable to known exploits. Importantly, these scans can anticipate future risks, allowing investors to understand potential threats that may emerge over time.

Scalability & maintainability: The necessity of automated testing

A maintainable and scalable software is a critical determinant of the long-term success of any tech company. In our technology due diligence processes, we often come across a recurring issue that significantly impacts both these facets: the lack of sufficient automated tests.

Automated testing is the practice of running a suite of tests that verify the integrity of a software system without the need for human intervention. It's an integral part of software development that ensures the code behaves as expected, and it aids in catching issues or bugs early in the development process. When automated tests are run regularly, they can quickly identify problems introduced by recent changes, ensuring that errors are spotted and fixed promptly.

Unfortunately, our experts at Vaultinum have found that many companies either do not prioritize automated tests or relegate them to their roadmaps as future enhancements. As a result, automated tests are conducted sporadically or in reaction to emergencies, rather than as a consistent, preventive measure. This approach can lead to a fragile codebase prone to bugs and errors, which can disrupt the user experience and cause reputational damage.

From a scalability perspective, automated tests ensure that the system can handle increased loads without compromising performance. By catching and fixing errors early, automated tests help to ensure that new features or increased usage do not introduce unexpected problems. Thus, the software can scale smoothly and efficiently as the company grows.

The low ratio of test files versus source code is a risk that potential investors need to be aware of. By encouraging companies to address these issues, it will enhance both the scalability and maintainability of their software systems.

Navigating open-source software risks: The underestimated threat of copyleft components

Open-source software (OSS) holds tremendous benefits, offering rapid development, cost savings, and a wealth of shared knowledge. However, OSS also brings unique challenges that require diligent management. A recurring issue in this area is the significant prevalence of copyleft components and the underestimation of associated risks by the tech leadership.

Copyleft components, found in approximately 96% of all our source code scans, are software licenses that offer the right to distribute copies and modified versions of a work, with the condition that the same rights are preserved in derivative works. Of these, a staggering 86% could potentially present contamination risks, such as the use of copyleft GPL in commercialized software which poses challenges to monetization.

Interestingly, in many tech companies, the extent of these risks is often underestimated or misunderstood. While conducting due diligence, we've encountered numerous CTOs who were unaware of the significant implications of these copyleft components in their codebase. This lack of awareness is understandable, given the intricate landscape of OSS licensing. However, the potential fallout – intellectual property infringement, forced source code disclosure, and even litigation – can be devastating for a business.

While OSS is a powerful tool in software development, its potential risks necessitate meticulous management. With comprehensive due diligence and proper OSS risk management strategies, companies can leverage OSS benefits while mitigating associated risks. This process is crucial for assuring potential investors of the viability and long-term stability of their investment.

Conclusion

The investment landscape in tech companies demands more than just a surface-level understanding of prospects. Private equity firms must delve deeper into the intricacies of their potential investments. This involves rigorous technology due diligence that focuses on critical aspects like cybersecurity, maintainability/scalability, and OSS risks. By conducting a comprehensive analysis that includes a code scan, hidden challenges can be revealed, investment risks can be quantified, and deep insights into the state of software in tech companies can be obtained.

Kristin Avon is a registered attorney specialising in the areas of intellectual property and IT law. She is a member of Vaultinum’s Strategy and Legal Commissions charged with overseeing and implementing the policies and processes related to the protection of digital assets.

References:

[1] Forescout Research; Vedere Labs. “2022 Threat Roundup Report: The Emergence of Mixed IT/IoT Threats.” Forescout Technologies, Inc. 2023.

[2] Krasner, H. “Cost of Poor Software Quality in the U.S.: A 2022 Report.” Consortium for Information and Security Quality. 2022.