alphaspirit - Fotolia
Frankenstein code. It’s the stuff of nightmares, and it’s all too common -- especially in long-established enterprises. Huge system-level problems are not unusual, such as those discovered when two airlines merged and ticketing ended up grinding to a halt.
“It is so complicated because these systems are so large and [they] involve so many technologies and languages that no one can fully understand them,” says Bill Curtis, senior vice president at CAST, a software analysis and measurement technology provider in New York. “Some people say security is separate from software quality, but it’s not,” adds Curtis, who also serves as the executive director of the Consortium for IT Software Quality, an international standards organization for software-intensive systems.
When companies merge, especially larger organizations, the complex architecture, systems and customized software that their businesses and operations depend upon need to be vetted and consolidated. This is a multifaceted and costly task that rarely includes adequate resources for identifying Web and enterprise software security gaps.
“We look at business transformations like mergers as a great opportunity, but they come with risk,” says Bethany Larson, a partner in cyber risk services at Deloitte & Touche, in the Minneapolis-St. Paul area. “From a code perspective, we typically see the most application risk in custom code; the actual developers may be long gone, usually there’s no documentation, and often there are backdoors and other security problems.”
The challenges come in many forms including material, procedural and compliance, notes Tyler Shields, a principal analyst in security and risk at Forrester Research. “Everything from secure development procedures to vulnerability detection, mitigation, protection, and even incident response models and procedures will likely differ significantly,” he says. And merging these procedures takes time and resources that generally aren’t available during the M&A process.
After a merger or acquisition, which often can span months if not years, IT organizations are usually under pressure to accomplish three very different tasks: keep the networks and systems running smoothly, find a way to combine and consolidate resources (systems, applications and staff), and make sure sensitive data stays secure. They also have to determine which applications outsiders, such as vendors, may be able to access, which can pose critical data security problems, says Larson.
As a consequence of these issues, CISOs are increasingly getting pulled into M&A evaluations. They are not only being asked whether the new entity should even be allowed to connect to the network but also consulted in regards to the security of applications, notes John Pescatore, director of emerging security threats at SANS Institute, a security training organization. One area of particular concern is the use of open source software. “There are pieces of open source in infrastructure and products, and experience has shown that open source is actually more vulnerable,” he says.
What to keep
The company that gets acquired is usually transitioned to the systems and software of the other organization, whether it’s enterprise resource planning or email. But not always, says John Pescatore, director of emerging security threats at SANS Institute, a security training organization.
“To some extent this question boils down to having the capabilities to manage a heterogeneous environment,” he says. “For example, there are products out there such as AlgoSec that can help you manage multiple firewalls.” But retaining “extra” applications ultimately means you could end up paying for twice as much capability as you need.
And if you are hanging on to someone else’s favorite application, think about the new entity’s IT staff and what they can realistically handle. Sometimes, companies just start cutting headcount in a merger without looking closely at the skills they require. “You need to make sure you already have or can retain people with skill sets relevant to your newly enlarged infrastructure,” Pescatore says.
Bug bounty programs, which are gaining in popularity, can also be helpful. If the acquired organization has a vulnerability rewards program, consider the benefits of continuing it, especially if you have the resources to manage a bug bounty program. —A.E.
Licensing and IP matters
An acquirer needs to make sure the target company has licensed and paid for its operating systems and software. Discovering hundreds of illegally operated desktops restricts your ability to update and patch security flaws, Pescatore says.
More emphasis is now being placed on scrutinizing licenses and IP ownership during the M&A process, agrees Shields. “This due diligence is required to ensure that you aren’t taking on any additional legal liabilities with the software you are acquiring.”
Have your security team go through a maturity assessment of the target company’s software development lifecycle. “Don’t just ask their people if the software is secure; ask for documentation and consider testing it for vulnerabilities,” advises Shields. Tools can help. Application security providers such as Cigital Inc., Veracode and WhiteHat Security, offer a range of vulnerability testing services.
Most applications flaws are relatively minor; they simply haven’t been addressed, says Curtis. But there can be exceptions. Thus, implementing both static and dynamic testing of applications before or after a merger is a good policy, in areas where there are security concerns.
However, subtle and potentially dangerous issues may escape testing or superficial analysis. “Some of the biggest glitches are driven by misunderstandings about how things operate, perhaps because organizations define functions or terms differently, and that can contribute to hacker exploits,” he says.
Bill CurtisSenior vice president, CAST
Nor is it simply a problem with older “legacy” code. General security issues in the software industry have existed for decades, but companies also face new challenges. “Many of the people writing code today are self-taught and [they] haven’t been exposed to software engineering concepts and best practices,” says Curtis. “I don’t see the problem getting better any time soon; we are now getting into ‘systems of systems’ that not even a team of humans can understand.”
Companies can perform a variety of risk assessments, from written questionnaires and on-site interviews to penetration tests and security audits. However, you’ll typically face significant pushback from the M&A target when it comes to obtaining this information, claims Jacob Olcott, vice president of business development for BitSight Technologies in Cambridge, Mass., which provides a security ratings service for clients. It can also be challenging to identify any previous cybersecurity incidents that may devalue the information assets being acquired, such as intellectual property or trade secrets. “Any acquirer will want to factor future IT and IT security expenditures into the price of the acquisition,” he says.
Making it all work
Stephen Cobb, a senior security researcher at San Diego endpoint security provider ESET North America, says to make the merger process work well, both sides should review their risk management and application security processes.
A good place to start is by assessing your own security posture:
- What is your current risk management strategy and is it backed up with policies and controls?
- Does your organization have strong IT security governance in place?
- Are your own systems, including websites and enterprise applications, as secure as they should be?
- How robust is the authentication system for all of your resources? Are you using two-factor authentication in the right places, or across all systems?
- What is your disaster recovery plan? How recently has it been tested and reviewed?
“After thinking about those things, you should then approach the other entity with a view that you have to ask them about everything,” Cobb says. “And then plan to make an inventory of everything they have and how it works.”
There’s still too little appreciation of the growing complexity of cloud assets that come with a merger, according to SANS’ Pescatore, who says these applications include not only IT-controlled resources, but the software-as-a-service assets used by business units and individual departments, such as Box and Salesforce. Each deployment could contain potential vulnerabilities. “Sometimes, the IT people don’t even know about these things,” he adds.
It’s also essential to be methodical and patient as the M&A process unfolds. Companies rarely complete a merger of IT systems as a “big bang,” notes Deloitte & Touche’s Larson. Usually organizations need to step back and think about how they have been defining risks and using data types, and then decide what software is the best option, she explains.
Larson recommends looking at all the applications and prioritizing your work based on their risk issues. “If something represents a low risk, it is easier to just leave it alone, but if it could involve high risk, based on external threats to your company or on the number of users, it is smart to concentrate there,” she says. Similarly, deciding whether to combine systems, run them in parallel or some other option should be based on a risk assessment.
“The other merger task that we see as critical is to have a view of the security threat through the whole cycle of the merger—you need to avoid disconnects,” cautions Larson. She says it is easy for employees or business units to take over during the M&A process, which can upset the proper balance between providing access and sound security. “A merger is a chance to take control of data and to try to limit the roles that may have accumulated in both organizations,” she explains. Thus, the merger can provide a chance to redesign those roles and permissions based on the new business, and implement other useful changes such as standard naming conventions.
Finally, it’s important remember the necessity of applying similar risk-management and security processes if your organization spins off a new entity. “Almost all the same concerns and processes apply there,” Larson says.
About the author:
Alan R. Earls is a freelance journalist based near Boston. He focuses on business and technology, particularly storage, security and the Internet of Things.