Why business leaders must add software due diligence to their investment arsenal

Philippe Thomas, CEO at Vaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this. 
Philippe Thomas, CEO at Vaultinum, explains why the current due diligence measures carried out by many investors are insufficient, given that software is increasingly a primary asset. Philippe discusses the main risks that threaten investors who do not implement comprehensive software due diligence and gives advice on how to change this. 

In the Department for Business, Energy & Industrial Industry’s 2021 UK Innovation Strategy, the UK government marks technology as a priority sector, owing to its fundamental contributions to pressing national and global challenges. The sector’s importance has also been demonstrated by its growth, with investment in the UK’s tech startups and scaleups reaching a record £13.5bn in the first half of this year. This widespread belief that the tech industry has a crucial role to play in our economy and society makes getting tech investment right more important than ever; the stakes have never been higher. 

Due diligence is an essential step in the pre-acquisition and investment rounds phase of any deal, regardless of its contents. These efforts have historically focused on financial, legal, human resources, and operations, which are evidently of the utmost importance for investors. Whilst software due diligence is now implemented by some investors, it is generally not comprehensive, not carried out by experts, and done manually, meaning that many issues are not identified. Due diligence processes simply haven’t caught up to the growing collective understanding that software is significant, or some would even say a primary, asset in most deals taking place today. This urgently needs to change.

Making the move to comprehensive software due diligence 

As leaders will already be aware, due diligence is an investigative process undertaken before entering into an investment with another party. The importance of due diligence as a concept is widely understood but including software within its remit is not so well-known. Software due diligence is a process of identifying vulnerabilities associated with a software and its source code, covering areas such as maintainability, scalability, data security risks, and licensing. Acquiring an awareness of these risks helps investors and buyers mitigate catastrophic legal, financial, and reputational consequences in the future.

As with any form of due diligence, it is important that investors choose a reliable and specialized third party to provide this service. In order to run software due diligence, the third-party provider will need to gain access to the software’s source code, usually kept under lock and key. To ensure that the software remains protected throughout the due diligence process, investors must opt for a provider that is ISO27001 certified, has experience in securely archiving data, and uses siloed servers located in a place where regulation provides strong data protection. Once a provider has been chosen, the process can begin with an assessment of the organization’s existing understanding of security issues and protection measures. Then follows an in-depth analysis of every line of the source code, with a report being produced that offers a comprehensive picture of any risk areas and precise resolution recommendations. At the end of this process, investors will be much more knowledgeable about the software they are investing in and make a well-informed decision about whether to invest. If they do choose to invest, they will enter the investment equipped with a detailed understanding of the exact measures urgently required to secure their investment. 

Identifying potential risk points in a software

There are a number of potential issues that can be identified through software due diligence, which truly highlight the importance of its execution. Data vulnerabilities are perhaps some of the most visible software risks within the business community, owing to a sharp rise in publicity for data breaches that have occurred during mergers and acquisitions in recent years. An infamous example that took place in 2016 is that of Marriot International, a hotel chain that acquired Starwood Hotels & Resorts in a deal to the tune of US$13.3bn. Marriot were ultimately fined $123mn by Britain’s Information Commissioner’s Office when it was revealed that a 2014 data breach in Starwood’s reservation system exposed 400 million guests’ personal data. Even though the breach itself occurred prior to the merger, Marriot remained financially and legally liable for Starwood’s mistake, and the two businesses suffered lasting reputational injuries. If Marriot had carried out more comprehensive software due diligence prior to the merger, this may have been identified, and its catastrophic consequences avoided. 

A less publicized but nevertheless extremely important potential vulnerability is that of maintainability, which in turn affects a software’s scalability. Given that comprehensive software due diligence is able to analyze every line of a software’s code, it is able to flag any areas within the code that may currently or in the near future no longer be maintainable. In doing so, the analysis highlights any use of code that no longer functions as it was originally intended, or usage of open source software that has become out of date and cannot easily be maintained by another developer. Any such evidence signifies that the software lacks maintainability and suggests that it is unlikely to be scalable. As a result, investors can easily understand whether software is worth investing in or not; even if you pour capital into ‘dinosaur’ software, it may not return significant profits in the long run.

Finally, comprehensive software due diligence analyses the usage of open source software within a wider code base. Drawing on open-source software is not a red flag in itself; it speeds up development and provides a constant stream of new and innovative solutions generated by developers working together worldwide. However, pressure to develop fast can mean that developers lose sight of the licensing restrictions attached to open source software. If a license is particularly contaminating, businesses may be liable to pay a fee for the usage of open source code, or even be required to make the entire in-house developed code base public. Investors must be aware of any such licenses before they make an investment because they can vastly change the value and terms of the asset. 


Entering an investment with an awareness of any potential vulnerabilities is essential for those investing in software, to avoid dramatic reputational, financial, and legal damage. Investors must begin to include comprehensive software due diligence, carried out by a trusted third party, into their pre-acquisition routine, before it’s too late. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Philippe Thomas

Philippe Thomas is the CEO of Vaultinum, a trusted independent third-party specialized in the protection and audit of digital assets. He has 20+ years of experience in the fintech industry, having started his career in open outcry market surveillance, extending into business development and becoming a COO, before starting his journey with Vaultinum in 2019. Vaultinum provide software escrow contracts, copyright deposit solutions, and software due diligence tools to top tier firms, private equities, and VCs worldwide.

eCMR: If not now, then when?

Gerry Daalhuisen • 17th July 2024

There have been several unexpected pit stops on the road to eliminating paper-based processes in logistics. But, is paper finally set to be a thing of the past?

Tackling Tech Debt

Wes van den Berg • 16th July 2024

5 years ago if you were a CIO without a cloud strategy you’d likely be out of a job. But making decisions in haste might mean businesses ended up with technology they regret, that doesn’t deliver on the promised value.

Laying the foundations for global connectivity

Waldemar Sterz • 26th June 2024

With the globalisation of trade, the axis is shifting. The world has witnessed an unprecedented rise in new digital trade routes that are connecting continents and increasing trade volumes between nations. Waldemar Sterz, CEO of Telegraph42 explains the complexities involved in establishing a Global Internet and provides insight into some of the key initiatives Telegraph42...

IoT Security: Protecting Your Connected Devices from Cyber Attacks

Miro Khach • 19th June 2024

Did you know we’re heading towards having more than 25 billion IoT devices by 2030? This jump means we have to really focus on keeping our smart devices safe. We’re looking at everything from threats to our connected home gadgets to needing strong encryption methods. Ensuring we have secure ways to talk to these devices...