Synopsys is broadening its offerings and expanding its reach with the deal; the acquisition price in the quickly-growing security market appears reasonable.

Black Duck has developed open source security and compliance testing software that reduces vulnerabilities early in the software development process, saving companies money.

Quick Take

EDA software firm Synopsys (SNPS) has agreed to acquire Black Duck Software for $548 million net of cash.

Black Duck has developed software solutions for open source installations to enhance application security, container security and license compliance.

Synopsys is acquiring Black Duck because it provides early detection of open source security and compliance issues, reducing development mistakes and costs. The deal price appears to be reasonable in the fast-growing global application security market.

Target Company

Burlington, Massachusetts-based Black Duck was founded in 2003 to improve security for open source software installations.

Management is headed by CEO Lou Shipley, who has been with the firm since 2013 and was previously CEO of VMTurbo.

Below is an overview video of Black Duck’s Hub system:

(Source: BlackDuckSoftware)

Black Duck’s primary offerings include:

Hub - Discover all open source software in a company’s codebase

Protex - Automates open source software license compliance

Security Checker - Known vulnerabilities checker for open source code

Black Duck investors funded over $75 million since 2004 and featured a large syndicate of institutional and strategic investors.

Market

According to a 2017 market research report by Gartner, global spending on IT security will reach $86.4 billion in 2017, a 7% increase vs. 2016.

The main drivers of this expected growth will be security testing, DevOps, security services from IT outsourcing, consulting and implementation services.

Additionally, the EU GDPR (General Data Protection Regulation) ‘will also have a global effect since multinationals will also need to adhere to the new law.

Notably, the report describes the transition toward bundling of managed security services with broader IT outsourcing projects.

In the Asia Pacific region, the report said that by 2021, over 80% of large Chinese businesses will use network security hardware from a local vendor, requiring software to be compatible with the local hardware, likely favoring Chinese security software firms.

Acquisition Terms and Rationale

Synopsys is paying $548 million net of cash for Black Duck, which it expects to contribute $55 - $60 million in fiscal 2018 (July 31) revenue.

Black Duck generated trailing twelve months revenue of approximately $76 million, and Synopsys is, therefore, paying a Price/Sales multiple of 7.2x, a not unreasonable multiple given forecasted growth of the global IT security market.

As of July 31, 2017, Synopsys had $1.3 billion in cash and short-term equivalents, so appears to have ample resources to pay for the deal without undue hardship or taking on debt.

Management expects Black Duck to be dilutive by 12 cents to 2018 non-GAAP EPS. GAAP effects are likely worse.

The combination of Black Duck stands to both broaden Synopsys’ product offerings and expand its customer reach by giving it a significant open source system.

As Andreas Kuehlmann, SVP and GM of Synopsys Software Integrity Group stated in the deal announcement,

Our vision is to deliver a comprehensive platform that unifies best-in-class software security and quality solutions. Development processes continue to evolve and accelerate, and the addition of Black Duck will strengthen our ability to push security and quality testing throughout the software development lifecycle, reducing risk for our customers. We look forward to working with Black Duck's experienced team as we drive our combined solution to the next level of value for our customers.

Synopsys is acquiring Black Duck because it enables businesses to identify security and compliance issues earlier in the development process, reducing costly mistakes and re-development.

Although the transaction was likely valued on a strategic rather than revenue accretion basis, the deal appears to be fairly valued and should pay dividends for Synopsys over the medium term as it integrates the technology into its offerings.

