Software Integrity Blog

 

Your application security testing tool just got acquired. Now what?

A cyber security acquisition can be a great deal for investors, but what about users? Here’s what to do if your application security tool has been acquired.

What to do after a cyber security acquisition

You spend a large sum on your application security testing tool. You roll out an application security testing program across your organization. Then one fine day, you learn that the vendor or the tool you’ve been using has been acquired. Now what?

Mergers and acquisitions bring a lot of uncertainty for customers. Personnel may change; terms of service may change. That shiny new feature that your vendor promised to implement in the next release may be in jeopardy. Not only that, but the product itself may be end-of-lifed!

If you’re running an application security program for a government agency, things may get even more complicated after a cyber security acquisition. What if your tool gets acquired by a company offshore? After all, we’re talking about potentially giving a foreign-located vendor access to vulnerabilities in your applications. Do you trust the vendor and their personnel to perform security testing on applications that handle sensitive or classified information?

What to do after a cyber security acquisition

If you find yourself in a sticky situation related to a cyber security merger or acquisition, follow these simple steps:

  • Review your contract. Have your legal team look at the contract to understand your options, including the ability to revisit the contract in an M&A situation.
  • Understand the drivers. Do some research to understand the drivers behind the acquisition. Sometimes companies acquire tools to shut them down and gain market share (e.g., Slack’s acquisition of HipChat). In such cases, you need to prepare for change.
  • Know your standards and regulations. Some sectors, like government, have strict regulations for working with companies in particular countries. For example, Indian company HCL’s acquisition of AppScan may raise concerns for U.S. intelligence communities who share information only with select countries and may take issue with sensitive data being housed by companies outside that group.

What to do when your AppSec tool gets acquired

  • Assess the impact. Every merger or acquisition brings some changes. Assess the impact on your business. Were you waiting on any major product updates? Could product consolidations affect your existing integrations? Are you no longer able to fulfill certain regulation or compliance needs owing to the merger or acquisition of your vendor?
  • Evaluate your options and make a decision. If you anticipate significant changes as a result of the merger or acquisition, this is your opportunity to move on to something better.

Consider your AppSec tool alternatives

Synopsys offers a wide array of market-leading application security testing tools and services to meet all your application security testing needs. We offer Coverity for static analysis, Black Duck for software composition analysis, Defensics for protocol fuzzing, Seeker for interactive application security testing, and Managed Services for a plethora of application security testing services.

Consider the alternatives after a cyber security acquisition

Since we offer more application security testing solutions than I can cover in one blog post, I’d like to introduce you to Seeker, which is the tool of choice for any organization looking for an efficient dynamic security testing solution. If the future of your AppSec tool is uncertain following a cyber security acquisition, you should seriously consider Seeker. Here’s why:

Automated security testing during functional testing

Seeker converts your functional tests into security tests. All you need to do is install a Seeker agent on your application. The Seeker agent monitors application behavior and reports vulnerabilities. There’s no need to perform security testing separately; Seeker does it for you while your QA team is testing your application.

Integrated software composition analysis

Seeker also performs software composition analysis and reports vulnerable open source and third-party components in your application, something that traditional DAST tools do not do.

Sensitive-data leakage testing

Seeker is the only AppSec tool that can track and detect sensitive-data leakage based on both value and name patterns. This capability allows you to accurately detect sensitive-data leakage in your application.

Automated verification of vulnerabilities to remove false positives

Does your DAST tool report a lot of false positives? Are you wasting precious resources chasing them? If so, then you need to try Seeker. Seeker has a unique patented verification engine that automatically verifies vulnerabilities in real time to filter out false positives.

Full context of vulnerabilities for easy remediation

Since Seeker is based on instrumentation technology, it can provide the full context of vulnerabilities. Code location (line number and file name) and runtime context (request and response) make it easy to remediate vulnerabilities.

Integrated eLearning

Seeker provides contextual training through integrated eLearning, which allows developers to get just-in-time training on vulnerabilities and remediate them quickly.

An acquisition can be an opportunity

If your AppSec tool or vendor has been acquired, you’re faced with an important decision. You may have to find a new vendor so you can obey regulations or meet your customers’ requirements. Or you may want to find a new tool to meet your own needs. Either way, a cyber security acquisition can be a golden opportunity for you to find better options.

To learn more about Seeker, watch our webinar on IAST, or read our Q&A about IAST.

Learn more about interactive application security testing

 

More by this author