Enterprises face an uphill battle in controlling security risks across their extended software supply chain and ensuring software entering your organization through a Mergers & Acquisition process is a critical step in a proper Information Risk Governance Model. Given the often highly sensitive and confidential nature of most transactions, inserting appropriate software security diligence into the overall transaction process must be seamless, tightly controlled and performed on a timely basis. This brief process outline will assist organizations implement a secure acquisition strategy for commercially viable applications.
1: Designate Project Managers for Acquirer and Acquired
The most effective control in place is the appropriate personnel to manage technical and logical goals from both organizations. CA Veracode will designate a Technical Account Manager for this process and will serve as a single point of contact to both the Acquirer and Target Company.
2: Determine Applications’ Business Criticality
The business criticality of a specific application type is an important first step in determining the appropriate security hurdles for a target company or software product. The business criticality should be based on six core potential impact dimensions including a) inconvenience, distress or damage to standing or reputation b) financial loss or agency liability c) harm to organization programs or stakeholders d) unauthorized release of sensitive information e) personal safety and f) civil or criminal violations.
3: Establish Security Quality Criteria via Application Assurance Level
As a result of determining an applications business criticality, an assurance level will be assigned to the software of very high, high, medium or low for each application. Each assurance level will have an underlying set of security “checks” or scans that are performed during the automated assessment. Custom policies or security checks can also be assigned to fit in with an organizations existing M&A diligence process.
4: Identify All Functions and Features to be Analyzed in Target Application
Commercially viable application security analysis can be costly when performed by manual consultants using manual code reviews or leveraging tools with high false positive and false negative rates. Additionally, in many cases only a subset of an application may need assessment given the post-acquisition use case or deployment scenario. CA Veracode’s automated cloud-based platform enables Acquirors with an easy to pinpoint the software assets that are most important to analyze in the code base and not waste time or effort on unimportant assets and increase turnaround times.
5: Determine Required Remediation Effort by Target Prior to Acquisition
Once the security vulnerabilities have been identified in the target companies software, the Acquirer should make clear the remediation effort required by the target company either prior to final acquisition or within a specified time post-acquisition but pre-deployment.
6: If Appropriate, Resubmit Application to Verify Remediation Successful
Once Target company development team has remediated identified security vulnerabilities, it is easy for the target software to be resubmitted to the CA Veracode services platform to perform complete security regression analysis on the remediated code base to confirm vulnerabilities have been properly fixed.