Synopsys, the California-based specialist in automated software security testing, confirmed to QA Financial it has agreed to offload its software integrity unit SIG to a consortium of private equity firms in a deal that is valued at $2.1 billion, one of the biggest takeovers in the QA space so far this year.
The deal is controversial, because Sunstone Partners is currently suing Synopsys over SIG’s software testing elements.
Despite the ongoing legal action, a group of private equity investors, led by Clearlake Capital and Francisco Partners, managed to outbid several investor rivals for the business that develops and runs security testing apps and solutions for software developers.
The deal includes around $475 million in cash that will be payable once the buyout firms hit a number of agreed targets that are linked to the takeover agreement.
Sassine Ghazi, the CEO of Synopsys, said the sale “made sense” since the company plans to concentrate on micro-chips as it wants to “capitalize on the AI-driven era.”
When contacted by QA Financial, Synopsys declined to discuss the deal in more detail but Clearlake Capital did say the group plans to change the name of the Software Integrity Group (SIG).
“We will release the name of the new business at a later date,” a California-based spokesperson said.
The SIG deal is expected to close in the second half of this year. The private equity firms plan to re-launch the firm as a new stand-alone security testing app software provider.
In January, Synopsys hinted it may sell the unit when it announced the formation of a Technical Advisory Board (TAB) to guide the SIG group.
A five-member board of experienced software and security executives advised Synopsys on broader trends in the software industry, provided input on its solutions strategy, and helped align its priorities with the requirements of its customers and market.
Lawsuit
The announced deal is not entirely uncontroversial because the agreement comes less than a month after a California-based private equity firm sued Synopsys for allegedly violating an exclusivity agreement with regards to the security testing solutions within SIG.
Investor firm Sunstone Partners has gone to court as it stated it had signed a letter with the tech giant to buy the testing elements within the latter’s software integrity unit called SIG.
However, before any deal was reached it has been reported that Synopsys commenced with a public sale of the SIG division. This was before the end of an agreed-upon exclusivity period.
This led to Sunstone taking the – in its own words ‘unusual’ – step to file a lawsuit with the Delaware Chancery Court in the U.S.
The investor is reportedly demanding monetary damages as well the reimbursement for “millions of dollars in fees and expenses.”
“We have much bigger fish to fry right now.”
– Synopsys’ email to Sunstone
Sunstone claims that Synopsys has failed to respect the agreement when it kicked off the public sale at the end of last year, because – in October of last year – the private equity firm had reportedly signed a deal to acquire the security testing solutions within the SIG unit.
Sunstone alleged in court filing 2024-0261 that Synopsys was aware a public sale of its SIG subsidiary would breach the agreement but the company “just did not care.”
“Soon after its earning calls on November 30, Synopsys wrote in an email to Sunstone that ‘we have much bigger fish to fry right now,’ namely the recently announced ‘decision regarding the whole SIG business,’” Sunstone lawyers stated in the complaint.
In an email statement to QA Financial, Sunstone Partners said with regards to the legal action that “we have never done anything like this before and do not expect that we would ever do this again in the absence of extraordinary circumstances.”
Sunstone Partners Management v. Synopsys, 2024-0261 is ongoing, currently pending at Delaware Chancery Court in the U.S.
Latest testing solution
The agreed sale also comes just six weeks after SIG announced plans to roll out a new dynamic application security testing solution.
Some analysts believe this may have pushed up the price for SIG slightly, as negotiations coincided with the launch of the new solution.
The tool, which has gone live, is aimed at DevOps teams to help them detect security flaws in web applications.
“This platform empowers development, security, and DevOps teams to swiftly detect and address security flaws in contemporary web applications while maintaining development momentum,” according to Jason Schmitt, general manager of SIG.
With streamlined onboarding and setup, intelligent attack execution, and an analysis engine tailored for DevSecOps workflows, Schmitt said the new solution “marks a significant advancement in security testing capabilities” for banks, insurance firms and other large finance institutions that run large IT systems and mobile apps.
“Legacy DAST tools can be too slow and difficult to use in fast-paced development environments.”
– Jason Schmitt, general manager of SIG
Schmitt stressed that the platform enables development and security teams to address vulnerabilities in proprietary source code, open-source dependencies, and application behaviour through an integrated application security testing solution.
“Underpinned by cloud architecture and scalable multi-tenant SaaS delivery, we make it easy for developers to onboard and start scanning in minutes while enabling security teams to track testing activities and manage risk across thousands of applications,” he continued.
Schmitt pointed out that SIG spotted a healthy appetite for the solution in the existing test market, since most existing tools are complex and slow.
“Dynamic analysis is an essential technology for securing modern web applications, but legacy DAST tools can be too slow and difficult to use in fast-paced development environments,” he noted.
“We have evolved the powerful and accurate scanning technology from Whitehat Security to create a solution designed for the speed of modern development,” Schmitt continued.
“This platform enables DevOps teams to scan their applications quickly and accurately, eliminating time-consuming configuration and triage efforts often required with legacy tools.”
“They can orchestrate rapid static, SCA, and dynamic scans through a SaaS platform, enabling them to simplify and accelerate their DevSecOps workflows,” Schmitt concluded.
NEXT WEEK
ON MAY 15 IN NEW YORK CITY
DO NOT miss our upcoming Financial Forum in NYC
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
