You Wouldn’t Buy a Home Without an Inspection. Why Buy a Company Without One?

PUBLISHED ON June 30, 2020
LAST UPDATED August 2, 2021

Mergers and acquisitions are some of the most important, exciting, and often messy aspects of the business world. Having been through the process several times, both as an acquirer and an acquiree, I can personally attest that technology and security are areas where things can get particularly messy. Buyers and sellers will often have very different approaches to security–different levels of operational maturity, different tools, and different threat profiles. This means that many of the details about security posture and risk only become known after an acquisition is complete. Yikes!

While no technology can tame all the challenges of an acquisition, ThreatX’s web application and API protection +Bot + DDoS (WAAP++) platform can give organizations an easy, yet powerful way to wrestle control over AppSec. Because it can be up and running in just a few hours, ThreatX can help uncover problems during the due diligence process; letting security teams quickly triage and deliver core protections to newly acquired sites and apps after the merger is complete. Let’s take a closer look.

Find Your Security Tech Debt

Every acquisition is unique, but let’s consider the following scenario as an exemplar:

At the highest level, a large, mature company acquires a smaller, younger startup. The larger company has over 1,000 applications and sites. They have sophisticated and mature AppSec and SecOps programs. By contrast, the younger, leaner acquiree has only 30 websites and apps and only a fraction of the security tools, processes, and staff that the larger organization may take for granted.

As the larger company prepares to absorb the smaller, this delta in process, people, and technology amounts to considerable security tech debt. Identifying and then managing this security tech debt can be a painful and haphazard process. Discovery often comes in the form of technical stubbed toes caused by accident rather than by design.

AppSec Triage and Ring Fencing

ThreatX can arm organizations to take a far more proactive and consistent approach to find and address the combined security tech debt at this stage of an acquisition. With simple updates to DNS settings, ThreatX can automatically begin analyzing an organization’s traffic, and hence attacks, against newly-acquired apps. Once up and running, teams can use ThreatX to gain visibility into the real-world details of their new app landscape, including the application technology stack, the types of traffic and patterns associated with each app, as well as the unique attacker profiles for each application. Organizations can quickly begin to understand the real risk profile of every application asset.

This visibility can also quickly translate into protection. Enabling ThreatX WAAP++ protection ring-fences and instantly protects newly acquired assets from all major types of threats, including SQL injection and XSS attacks, attacks from bots, and other forms of malicious automation, DDoS attacks, and many more threat vectors.

With just a few minutes of effort, organizations can see their risk profile and start insulating their apps from threats.

With the immediate risk addressed, security teams can use these gained insights to proactively triage apps and their associated risk. Analysis can often identify applications to decommission completely or highlight those to prioritize for heightened protections, including static or dynamic application security testing tools (SAST/DAST), application source code analysis, pen-testing, just to name a few.

The Home Inspection for Your Digital Assets

Visibility into applications and threats can also be particularly useful as part of the pre-acquisition due diligence process. Analyzing actual application traffic can give the acquiring organization a much more unobstructed view of the risk profile of crucial applications and any associated security tech debt.

In many ways, this visibility is analogous to the standard, detailed home inspection of any property sale. While most of us would never buy a home without an inspection or checking the foundation, most mergers occur without a similar level of visibility into the foundations of the business applications included in the acquisition. Much like the ubiquitous home inspection, analysis of application traffic, and the associated risks and threats could quickly become a standard part of the escrow process for company mergers and acquisitions. Instead of waiting to find problems after the deal closes, the buyers would have a way to build in some recourse for any unexpected security problems.

Business applications are some of the most critical assets in any acquisition, and the risks and threats associated with them are very real potential liabilities. Before or after a purchase is complete, ThreatX provides a nimble, low-friction option that can give visibility into and protection for these critical assets. If this sounds interesting or relevant to you, please reach out to us. Let’s talk more about and other innovative ways ThreatX is redefining web application security to make it useful — and usable.

About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.