Why business leaders must add software due diligence to their investment arsenal

Philippe Thomas, CEO at Vaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this. 
Philippe Thomas, CEO at Vaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this. 

In the Department for Business, Energy & Industrial Industry’s 2021 UK Innovation Strategy, the UK government marks technology as a priority sector, owing to its fundamental contributions to pressing national and global challenges. The sector’s importance has also been demonstrated by its growth, with investment in the UK’s tech startups and scaleups reaching a record £13.5bn in the first half of this year. This widespread belief that the tech industry has a crucial role to play in our economy and society makes getting tech investment right more important than ever; the stakes have never been higher. 

Due diligence is an essential step in the pre-acquisition and investment rounds phase of any deal, regardless of its contents. These efforts have historically focused on financial, legal, human resources, and operations, which are evidently of the utmost importance for investors. Whilst software due diligence is now implemented by some investors, it is generally not comprehensive, not carried out by experts, and done manually, meaning that many issues are not identified. Due diligence processes simply haven’t caught up to the growing collective understanding that software is significant, or some would even say a primary, asset in most deals taking place today. This urgently needs to change.

Making the move to comprehensive software due diligence 

As leaders will already be aware, due diligence is an investigative process undertaken before entering into an investment with another party. The importance of due diligence as a concept is widely understood but including software within its remit is not so well-known. Software due diligence is a process of identifying vulnerabilities associated with a software and its source code, covering areas such as maintainability, scalability, data security risks, and licensing. Acquiring an awareness of these risks helps investors and buyers mitigate catastrophic legal, financial, and reputational consequences in the future.

As with any form of due diligence, it is important that investors choose a reliable and specialized third party to provide this service. In order to run software due diligence, the third-party provider will need to gain access to the software’s source code, usually kept under lock and key. To ensure that the software remains protected throughout the due diligence process, investors must opt for a provider that is ISO27001 certified, has experience in securely archiving data, and uses siloed servers located in a place where regulation provides strong data protection. Once a provider has been chosen, the process can begin with an assessment of the organization’s existing understanding of security issues and protection measures. Then follows an in-depth analysis of every line of the source code, with a report being produced that offers a comprehensive picture of any risk areas and precise resolution recommendations. At the end of this process, investors will be much more knowledgeable about the software they are investing in and make a well-informed decision about whether to invest. If they do choose to invest, they will enter the investment equipped with a detailed understanding of the exact measures urgently required to secure their investment. 

Identifying potential risk points in a software

There are a number of potential issues that can be identified through software due diligence, which truly highlight the importance of its execution. Data vulnerabilities are perhaps some of the most visible software risks within the business community, owing to a sharp rise in publicity for data breaches that have occurred during mergers and acquisitions in recent years. An infamous example that took place in 2016 is that of Marriot International, a hotel chain that acquired Starwood Hotels & Resorts in a deal to the tune of US$13.3bn. Marriot were ultimately fined $123mn by Britain’s Information Commissioner’s Office when it was revealed that a 2014 data breach in Starwood’s reservation system exposed 400 million guests’ personal data. Even though the breach itself occurred prior to the merger, Marriot remained financially and legally liable for Starwood’s mistake, and the two businesses suffered lasting reputational injuries. If Marriot had carried out more comprehensive software due diligence prior to the merger, this may have been identified, and its catastrophic consequences avoided. 

A less publicized but nevertheless extremely important potential vulnerability is that of maintainability, which in turn affects a software’s scalability. Given that comprehensive software due diligence is able to analyze every line of a software’s code, it is able to flag any areas within the code that may currently or in the near future no longer be maintainable. In doing so, the analysis highlights any use of code that no longer functions as it was originally intended, or usage of open source software that has become out of date and cannot easily be maintained by another developer. Any such evidence signifies that the software lacks maintainability and suggests that it is unlikely to be scalable. As a result, investors can easily understand whether software is worth investing in or not; even if you pour capital into ‘dinosaur’ software, it may not return significant profits in the long run.

Finally, comprehensive software due diligence analyses the usage of open source software within a wider code base. Drawing on open-source software is not a red flag in itself; it speeds up development and provides a constant stream of new and innovative solutions generated by developers working together worldwide. However, pressure to develop fast can mean that developers lose sight of the licensing restrictions attached to open source software. If a license is particularly contaminating, businesses may be liable to pay a fee for the usage of open source code, or even be required to make the entire in-house developed code base public. Investors must be aware of any such licenses before they make an investment because they can vastly change the value and terms of the asset. 


Entering an investment with an awareness of any potential vulnerabilities is essential for those investing in software, to avoid dramatic reputational, financial, and legal damage. Investors must begin to include comprehensive software due diligence, carried out by a trusted third party, into their pre-acquisition routine, before it’s too late. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of due diligence, News, Why business leaders must add software due diligence to their investment arsenal

Philippe Thomas

Philippe Thomas is the CEO of Vaultinum, a trusted independent third-party specialized in the protection and audit of digital assets. He has 20+ years of experience in the fintech industry, having started his career in open outcry market surveillance, extending into business development and becoming a COO, before starting his journey with Vaultinum in 2019. Vaultinum provide software escrow contracts, copyright deposit solutions, and software due diligence tools to top tier firms, private equities, and VCs worldwide.

Hacking Cyber Security’s battle for workers

Andrew Marsh • 30th September 2022

Cyber attacks are increasing exponentially, cyber professionals are quitting, and ultimately, no one is replacing them. Worldwide, the cyber workforce shortfall is approximately 3.5 million people. We have a mountain to climb. While there are rising numbers of people with security degrees and qualifications, this falls way short of industry demand.

Getac becomes British Touring Car Championship official technology partner

Chris Gibbs • 29th September 2022

In competitive motorsports, the smallest detail can be the difference between winning and losing. Getac is the official technology partner to the British Touring Car Championships (BTCC) helping it achieve its digital transformation goals, putting a wealth of information at the fingertips of both race officials and teams alike, and helping deliver incredibly exciting racing.

The Time is Now for Digital Transformation

Paul Waddilove • 29th September 2022

According to a McKinsey research report, 70% of enterprises that had taken on digital transformation reported in 2020 that their momentum had stalled. It is worth understanding the reasons–culture or scale for example–causing the slowdown as the payoffs from digital transformation can be impressive. It can lead to more efficient operations, with enterprises enjoying autonomy...

Addressing the environmental impact of the data centre

David Watkins • 29th September 2022

David Watkins, solutions director at VIRTUS Data Centres , share how you may have seen the recent news that Thames Water has launched a probe into the impact of data centres on water supplies in and around London, as it imposed a hosepipe ban on its 15 million customers in a drought-hit area. Ensuring that...

How Can Businesses Ensure Efficient Management of COSU Devices

Nadav Avni • 29th September 2022

Nadav Avni, Chief Marketing Officer at Radix Technologies, shares how when it comes to speeding up queues and providing instant information, nothing beats corporate-owned, single-use (COSU) devices. When put in kiosk mode, these devices become efficient digital assistants that collect and share information.

The Cloud – Debunking the Myth

Guy Parry Williams • 26th September 2022

Mid-sized businesses are head down, wrestling with constantly evolving operational challenges, from skills shortages to supply chain delays and raging inflation. Management teams lack the time and often confidence to explore technology innovation and, as a result, too many companies are missing vital opportunities to cut costs, boost efficiency and reach new customers.