Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 1 of 22
`Case 4:18-cv-07229—YGR Document 195-11 Filed 05/10/21 Page 1 of 22
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 6
`
`EXHIBIT 6
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 2 of 22
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY – SOURCE CODE
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`OAKLAND DIVISION
`
`FINJAN LLC, a Delaware Limited Liability
`Company,
`
`Case No. No. 4:18-cv-07229-YGR (TSH)
`
`Plaintiff,
`
`v.
`
`QUALYS INC., a Delaware Corporation,
`
`Defendant.
`
`OPENING EXPERT REPORT OF ERIC COLE,
`PH.D. REGARDING INFRINGEMENT BY
`QUALYS INC. OF PATENT NOS. 6,154,844;
`8,677,494; AND 7,418,731
`[HC-AEO]
`
`Date: December 1, 2020
`
`Eric Cole, PH.D.
`Ashburn, Virginia
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 3 of 22
`
`network security, Finjan submitted and was awarded multiple patents, including the patents
`
`involved in this case.
`
`
`1.
`
`The ’844 Patent
`
`86.
`
`The ’844 Patent focuses on inspecting files that are downloaded onto a computer
`
`and verifying that the code is not suspicious and will not cause any harm before it is allowed to
`
`run on a client, like a web browser. ’844 Patent, 1:20-2:2. This is generally performed by looking
`
`at the content of the files, generating a profile and linking it to the content. This profile can be
`
`used in a number of ways to protect against threats. In one example, the profile may be used in
`
`real-time to decide what action would be allowed to be taken. ’844 Patent, 2:3-3:7. In other
`
`instances, the profile could be analyzed by other processes as part of a backend security system
`
`used to classify malicious content and push out updates to other systems.
`
`87. More specifically, the technology focuses on protecting a system against a
`
`potentially malicious Downloadable. A Downloadable is any code that would get delivered to a
`
`computer from a third-party site, in which can have no level of trust to the validity of the code
`
`that is going to run on their system. ’844 Patent, 1:20-3:7. This code often comes from untrusted
`
`sites on the Internet and could run without the user’s knowledge or permission. The
`
`Downloadable is often in the form of Executables, Java applets, ActiveX controls, JavaScript,
`
`Visual Basic scripts, HTML, PDFs, etc. ’844 Patent, 1:60-2:2. Users often visit websites that
`
`they believe are legitimate and are inadvertently tricked into having code downloaded to their
`
`system that causes harm. Since the code can be very stealthy and bypass traditional security
`
`controls, additional protection that is provided in the ’844 Patent is needed in order to minimize
`
`that damage that can be caused by this code. ’844 Patent, 1:20-59.
`
`88.
`
`The technology protects a computer system using an inspector. ’844 Patent, 1:60-
`
`3:7. The inspector would review the Downloadable and create a security profile (also referred to
`
`as a “DSP”) that verifies and validates the actions that the code is going to take on the system.
`
`’844 Patent, 1:60-3:7 and 3:66-5:13. The system can use the results of the analysis to allow code
`
`30
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 4 of 22
`
`to run or preventing it from running on the system. ’844 Patent, 2:20-3:7. The security profile
`
`that is created is based off code that is identified to be suspicious. ’844 Patent, 2:3-3:7. This is
`
`significant because this would allow the invention to be able to detect both known attack vectors
`
`and unknown (zero-day attacks). The term zero day or 0-day attack was coined to refer to cases
`
`where the adversary knew about a vulnerability and released malicious code weeks or months
`
`before the software vendors had a chance to develop/release a patch and a signature.
`
`
`2.
`
`The ’494 Patent
`
`89.
`
`The technology of the ’494 Patent (including through its incorporation of the ’780
`
`Patent as a parent application) generally relates to protecting against a potentially malicious
`
`“Downloadable.” ’780 Patent, 1:30-63; ’494 Patent, 1:60-63. At the time of the invention
`
`claimed in the ’494 Patent, a Downloadable was a new type threat in the form of executables,
`
`JavaScript, PDFs, etc. ’780 Patent, 1:30-63; ’494 Patent, 2:59-64. In a typical scenario, a
`
`Downloadable is delivered to a computer from another computer on the Internet (sometimes
`
`called a server) where there is not a sufficient level of trust and is a common avenue for
`
`adversaries to deliver malicious code to a system. ’780 Patent, 1:30-2:44; ’494 Patent, 2:51-3:2.
`
`This code often comes from untrusted sites or persons on the Internet and could run without the
`
`user’s knowledge or permission. ’780 Patent, 1:30-2:44; ’494 Patent, 2:51-3:2. Claim 10 of the
`
`’494 Patent describes a system addressing this problem, and which downloads content, inspects
`
`content that is downloaded, determines if the downloaded content may perform malicious or
`
`suspicious operations, and stores this security profile in a database. ’494 Patent, Claim 10. The
`
`’494 Patent, includes a description of the operations that are “suspicious.” ’780 Patent, 6:1-16.
`
`Suspicious operations described include operations for reading and writing files, sending or
`
`sending data over a network, and changing the registry.
`
`90.
`
`The ’494 Patent uses a malware scanning approach that was pioneered by Finjan.
`
`Deriving or generating Downloadable security profile data is quite different than the traditional
`
`signature based detection that was used before Finjan’s inventions. The traditional signature
`
`31
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 5 of 22
`
`QUALYS01994509.
`
`159. Qualys Cloud Agents collect and upload data. Qualy Cloud Agents operate “in
`
`concert with the platform to optimize the discovery, classification, and reporting of
`
`vulnerabilities, compliance violations, and asset inventory. The agent uses a lightweight data
`
`collection mechanism to simply capture the version numbers and other metadata about the
`
`operating system and installed applications and sends the data to the platform for analysis and
`
`
`
`reporting.” QUALYS00325126.
`
`160. According to Qualys, Cloud Agents are the preferred scanning “method for assets
`
`like dynamic IP client machines, remote/roaming users, static and ephemeral cloud instances,
`
`and systems sensitive to external scanning. After their initial deployment, Cloud Agents run a
`
`full configuration assessment of their host in the background and upload the collected data to the
`
`Qualys Cloud Platform for analysis. Then, as soon as changes occur, Cloud Agents push updates
`
`60
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 6 of 22
`
`262. Qualys PC “reporting can be leveraged to show compliance with internal security
`
`policies and regulatory policies.” QUALYS00642214.
`
`QUALYS00642214.
`
`
`
`263. Qualys PC “extends the global scanning capabilities of Qualys VM to collect OS
`
`Configuration and Application Access controls from hosts and other assets within the
`
`enterprise,” but the scanner engines for Qualys PC and Qualys VM are the same although they
`
`implement different functionality. Kruse Dep. Tr. at 31:18-25 (Q: What’s the difference between
`
`the scanner engine for VM versus PC? A: It’s essentially the same scanner engine. It’s the same
`
`code. It’s just that the functionality is a little different between vulnerability management and
`
`policy compliance.).
`
`
`3. Web Application Security
`
`(a) Web Application Scanning (WAS)
`
`264. Qualys Web Application Scanning (WAS) is a Qualys Cloud Platform application
`
`communicates with a customer's web applications to detect vulnerabilities in the applications.
`
`Qualys WAS establishes a network connection with the assessed web application using a
`
`93
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 7 of 22
`
`scanning appliance. The scanning appliance contacts the web application to inspect the content
`
`of the application, and further explores additional links within the application pages. WAS
`
`generates and presents a report to an end user which lists or shows the detected vulnerabilities or
`
`issues that may exist in the website. Thakar Dep. Tr. 29:4-32:4. A customer must purchase a
`
`WAS license for each application they want to test. Thakar Dep. Tr. 55:12-24.
`
`265. Qualys describes Web Application Scanning (WAS) as “a cloud-based service
`
`that provides automated crawling and testing of custom web applications to identify
`
`vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service
`
`enables regular testing that produces consistent results, reduces false positives, and easily scales
`
`to secure a large number of websites. Qualys WAS is bundled with additional scanning
`
`technology to proactively monitor websites for malware infections, sending alerts to website
`
`owners to help prevent blacklisting and brand reputation damage.” QUALYS00257792;
`
`FINJAN-QUALYS 043409.
`
`266. Qualys’ WAS is built on Qualys’ “cloud-based security and compliance
`
`platform,” and according to Qualys, WAS scans “thousands of web applications per week” due
`
`to its scalability. QUALYS00257792.
`
`QUALYS00257792.
`
`
`
`267. Qualys WAS provides a single interface to allow a user to “identify, manage, and
`
`fix all web app vulnerabilities and misconfigurations.” QUALYS00257792.
`
`94
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 8 of 22
`
`QUALYS00246656.
`
`268. Qualys identifies that WAS includes at least four key features: (1) comprehensive
`
`discovery, (2) deep scanning, (3) malware detection, and (4) DevSecOps tool.
`
`
`
`QUALYS00257792.
`
`269. Qualys WAS “continuously discovers and catalogs web apps in your network and
`
`detects vulnerabilities and misconfigurations. Its integration with Qualys WAF provides one-
`
`click patching of web apps. With WAS, you can also insert security into DevOps environments.
`
`Qualys WAS also identifies and removes malware from websites using behavioral and static
`
`analysis.” FINJAN-QUALYS 416092.
`
`270. Qualys WAS first identifies the discoverable assets within a user’s network.
`
`Using the comprehensive discovery feature, “WAS finds and catalogs all web apps in [a user’s]
`
`network, including new and unknown ones, and scales from a handful of apps to thousands.”
`
`With Qualys WAS, a user can tag its applications with its “own labels and then use those labels
`
`to control reporting and limit access to scan data.” QUALYS00257792.
`
`95
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 9 of 22
`
`QUALYS00246658.
`
`
`
`271. Qualys WAS then scans the discovered assets to detect vulnerabilities that may be
`
`exploited. “WAS’ dynamic deep scanning covers all apps on [a user’s] perimeter, internal
`
`networks, remote and mobile devices, and public cloud instances, and gives [the user] instant
`
`visibility of vulnerabilities like SQLi and XSS.” WAS deep scanning supports “[a]uthenticated,
`
`complex and progressive scans.” “With programmatic scanning of SOAP and REST API
`
`services, WAS tests IoT services and mobile apps.” QUALYS00257792.
`
`272. Qualys WAS “provides automated crawling and testing of custom web
`
`applications to identify vulnerabilities including cross-site scripting (XSS) and SOL injection.
`
`The automated service enables regular testing that produces consistent results, reduces false
`
`positives, and easily scales to secure large numbers of web sites. Proactively scans web sites for
`
`malware infections, sending alerts to web site owners to help prevent black listing and brand
`
`reputation damage.” FINJAN-QUALYS 043409.
`
`273. Qualys WAS malware detection feature further “scans an organization’s websites,
`
`and identifies, reports and removes infections, including zero-day threats via behavioral analysis.
`
`96
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 10 of 22
`
`Detailed malware infection reports accompanies infected code for remediation. A central
`
`dashboard displays scan activity, infected pages and malware infection trends, and lets users can
`
`initiate actions directly from its interface.” According to Qualys, WAS can provide “[b]road
`
`threat coverage” to “[d]etect, identify, assess, track and remediate OWASP Top 10 risks, WASC
`
`threats, CWE weaknesses, and web-based CVEs.” QUALYS00257792.
`
`
`
`QUALYS00246657.
`
`274. Qualys WAS can also identify vulnerabilities that exist in early application
`
`development stages. Using the DevSecOps tool, “WAS can insert security into application
`
`development and deployment in DevSecOps environments. With WAS, [a user can] detect code
`
`security issues early and often, test for quality assurance and generate comprehensive reports.”
`
`A user can also “automate scans as part of the build process to detect security flaws early and
`
`often, and automatically deliver detailed reports for review and remediation. With its flexible
`
`scheduling features and tight integration with Qualys WAF, WAS can continuously monitor and
`
`virtually patch vulnerabilities in production web apps.” WAS integrates “with the software
`
`97
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 11 of 22
`
`development lifecycle allowing scans at any time by developers, QA and security teams, as well
`
`as automating scans in DevOps and CI/CD pipelines.” QUALYS00289149.
`
`275. Qualys WAS is natively integrated with Qualys’ Web Application Firewall
`
`(WAF) such that “WAS continuously monitors and virtually patches production apps,” including
`
`providing “one-click virtual patching of identified vulnerabilities.” QUALYS00257792.
`
`276. Qualys WAS can work in conjunction with Qualys Web Application Firewall,
`
`which “protects web sites against attacks on server vulnerabilities and web app defects [and
`
`brings] cloud scalability and simplicity to strongly secure web apps against cross-site scripting
`
`(XSS), SQL injection, corrupted requests and other attacks.” FINJAN-QUALYS 043409.
`
`277. Qualys WAS “and Web Application Firewall (WAF) are natively and tightly
`
`integrated for seamless identification and mitigation of risks and offer a complete solution for
`
`web app security. Qualys WAS is a robust DAST (Dynamic Application Security Testing)
`
`product that identifies security holes in web applications, SOAP web services, and RESTful
`
`APls, through continuous discovery of HTTP services and detection of vulnerabilities and
`
`misconfigurations. Qualys WAS easily scales to scan thousands of web applications while
`
`covering the OWASP Top 10 vulnerabilities and more. Its malware detection functionality scans
`
`an organization's internet-facing websites, and identifies and reports infections, including zero-
`
`day threats via behavioral analysis. Detailed malware infection reports are provided for
`
`remediation. A central dashboard displays scan activity, infected pages and malware infection
`
`trends, and lets users initiate actions directly from its interface. Meanwhile, Oualys WAF blocks
`
`attacks and lets you virtually patch web app vulnerabilities. It can be quickly deployed for apps
`
`on public or private clouds, and scaled quickly. Application traffic stays in your environment to
`
`minimize latency and maintain control.” QUALYS00289149.
`
`278. According to Qualys it “offers a complete solution for web app security” with
`
`Qualys WAS and WAF, “which are natively and tightly integrated, giving you a single,
`
`interactive console for web app vulnerability detection (WAS) and attack protection (WAF) for
`
`seamless identification and mitigation of risks. Qualys WAS is a robust DAST (Dynamic
`
`98
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 12 of 22
`
`Application Security Testing) product that identifies security holes in web applications, SOAP
`
`web services, and RESTful APls, through continuous web app discovery of HT TP services and
`
`detection of vulnerabilities and misconfigurations. Identified vulnerabilities from WAS can be
`
`virtually patched in WAF with the push of a button, thereby protecting you from exploitation
`
`even in the case where the application developers are unable to remediate the code.”
`
`QUALYS00289149.
`
`D.
`
`Qualys Core Services
`
`279. Qualys’ Core Services “enable integrated workflows, management and real-time
`
`analysis and reporting across all of [its] IT security and compliance solutions,” and include (1)
`
`asset tagging and management services, (2) reporting and dashboard services, (3) questionnaire
`
`and collaboration tools, (4) remediation and workflow tools, (5) a data correlation and analytics
`
`engine, and (6) alert and notification services that are leveraged by Qualys’ Integrated Suite of
`
`Applications. FINJAN-QUALYS 043409.
`
`280. Qualys’ asset tagging and management service enables a customer “to easily
`
`identify, categorize and manage large numbers of assets in highly dynamic IT environments and
`
`automates the process of inventory management and hierarchical organization of IT assets.”
`
`FINJAN-QUALYS 043409.
`
`281. Qualys’ reporting and dashboard services comprise a “highly configurable
`
`reporting engine that provides [an] organization with reports and dashboards based on user roles
`
`and access privileges.” FINJAN-QUALYS 043409.
`
`
`99
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 13 of 22
`
`(a)
`
`Vulnerability Management
`
`337. Qualys Vulnerability Management, alone or in combination with Continuous
`
`Monitoring, ThreatProtect, or Cloud Agent, meets the recited claim language because
`
`Vulnerability Management, alone or in combination with Continuous Monitoring, ThreatProtect,
`
`or Cloud Agent, is an inspector that receives a Downloadable.
`
`338. Vulnerability Management includes an inspector (e.g., VM Scanning Engine) that
`
`receives Downloadables (e.g., executable application programs scanned by VM in search of
`
`vulnerabilities).
`
`339. Qualys Vulnerability Management uses “Qualys Scanner Appliance” or “Qualys
`
`Cloud Agent” to collect the data needed to perform a host vulnerability assessment. “Qualys
`
`Scanner Appliance targets host assets remotely” and “Qualys Cloud Agent installs as a local
`
`system service.” Data collected by the Qualys Cloud Agent “is sent back to Qualys Cloud
`
`Platform at regular intervals.”
`
`
`
`
`
`133
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 14 of 22
`
`QUALYS00263186.
`
`
`
`340. Qualys Vulnerability Management has a “VM Scanning Engine” that includes a
`
`“Core Engine,” described as an “Inference-Based Scanning Engine” and Modules. “Initial
`
`modules are launched at the beginning of an assessment scan to collect the data needed by the
`
`scanning engine to select the appropriate vulnerability assessment modules and tests.” As shown
`
`below, VM collects configuration data from customer systems. As shown below in Qualys
`
`documents, this information includes, at a high level, open ports, active services, host operating
`
`systems, and installed software applications.
`
`
`
`134
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 15 of 22
`
`QUALYS00263186.
`
`
`
`341. Qualys Vulnerability Management data collection modules collect host
`
`configuration data. “The primary modules that collect the host configuration data include: Host
`
`Discovery, Port Scanning, Service Detection and Operating System Detection. The data
`
`collected from these modules will be used later by the scanning engine to select the appropriate
`
`assessment modules.”
`
`
`
`
`
`
`QUALYS00263186.
`
`135
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 16 of 22
`
`Communications use strong encryption and SSLv3 via port 443. The appliance polls
`
`QualysGuard to automatically to download software updates and new vulnerability signatures,
`
`and to process job requests for network discovery and scanning. Intranet Scanner does not retain
`
`scan results; instead, all data is securely encrypted, transmitted, and stored at redundant Qualys
`
`operations centers.” FINJAN-QUALYS 037927.
`
`358. Cloud Agent in combination with Vulnerability Management receives by an
`
`inspector a Downloadable. Qualys Cloud Agent includes an inspector (e.g., lightweight Cloud
`
`Agent installed on host systems) that receives Downloadables (e.g., metadata regarding installed
`
`software).
`
`359. Qualys Cloud Agents reside on the assets they monitor and work with Qualys
`
`Vulnerability Management to provide agent-based detection thereby extending VM’s network
`
`coverage to assets that cannot otherwise be scanned.
`
`
`Kruse Ex. 4, FINJAN-QUALYS 038136; Bachwani Dep. Tr. at 23:19-21 (Q Can you identify
`and Qualys products that use cloud agents? A. Vulnerability Management.”).
`
`360. Qualys Cloud Agents “collect metadata from its host and send it to the Qualys
`
`Cloud Platform for processing. Vulnerability assessment tests (all the heavy lifting) are
`
`intentionally kept off the agent, and performed within the Qualys Platform.”
`
`149
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 17 of 22
`
`369. The foregoing are exemplary, and additional examples of infringing uses of the
`
`products may be included in my testing. FINJAN-QUALYS 761510-761573; FINJAN-
`
`QUALYES 761431-761479.
`
`(b) Web Application Scanning
`
`370. Qualys Web Application Scanning meets the recited claim language because they
`
`include inspectors that receive a Downloadable.
`
`371. Qualys Web Application Scanning includes an inspector or inspector system (e.g.,
`
`WAS scanning engine) whereby Downloadables (e.g., executable application programs scanned
`
`by WAS in search of vulnerabilities) are received.
`
`372.
`
`“Qualys Web Application Scanning (WAS) is a cloud-based service that provides
`
`automated crawling and testing of custom web applications to identify vulnerabilities including
`
`cross-site scripting (XSS) and SQL injection.” FINJAN-QUALYS 038140.
`
`373.
`
`“Qualys WAS provides complete, accurate, and scalable web security and enables
`
`organizations to assess, track, and remediate web application vulnerabilities. Its capabilities are
`
`powered by the Qualys Cloud Platform.” FINJAN-QUALYS 038140.
`
`374. Qualys identifies “deep scanning” capability of Web Application Scanning as a
`
`top-feature. “WAS’ dynamic deep scanning covers all apps and APIS on your perimeter, internal
`
`networks, and public cloud instances, and gives you instant visibility of vulnerabilities like SQLi
`
`and XSS.” WAS supports scanning of SOAP and REST API services, and tests IoT services and
`
`mobile app backends.
`
`FINJAN-QUALYS 038140.
`
`
`
`158
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 18 of 22
`
`Bachwani Dep. Tr. at 84:17-85:5.
`
`
`
`
`
`388. Qualys Web Application Scanning (product) includes a scanning engine by the
`
`same name—i.e., Web Application Scanning (engine). “The engine is what runs on the scanner
`
`appliance. The product is what customers use.”
`
`
`
`
`
`Kruse Dep. Tr. at 10:21-12.
`
`(i)
`
`Source Code
`
`389. Qualys source code supports my infringement analysis:
`
`164
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 19 of 22
`
`has not otherwise construed the term “receiver;” therefore, I have interpreted the term based on
`
`its plain and ordinary meaning to one of ordinary skill in the art at the time of the invention. As I
`
`explain below, the Accused Products satisfy this plain and ordinary meaning.
`
`(a)
`
`Vulnerability Management
`
`1229. Qualys Vulnerability Management, alone or in combination with Continuous
`
`Monitoring, ThreatProtect, or Cloud Agent, meets the recited claim language because
`
`Vulnerability Management, alone or in combination with Continuous Monitoring, ThreatProtect,
`
`or Cloud Agent, includes a receiver for receiving an incoming Downloadable.
`
`1230. Vulnerability Management includes a receiver (e.g., VM Scanning Engine) that
`
`receives Downloadables (e.g., executable application programs scanned by VM in search of
`
`vulnerabilities).
`
`1231. Qualys Vulnerability Management uses “Qualys Scanner Appliance” or “Qualys
`
`Cloud Agent” to collect the data needed to perform a host vulnerability assessment. “Qualys
`
`Scanner Appliance targets host assets remotely” and “Qualys Cloud Agent installs as a local
`
`system service.” Data collected by the Qualys Cloud Agent “is sent back to Qualys Cloud
`
`Platform at regular intervals.”
`
`
`
`
`
`689
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 20 of 22
`
`Bachwani Dep. Tr. at 41:20-43:12.
`
`
`
`1255. Data comes into the Qualys platform from either a Scanner Appliance or Cloud
`
`Agent for vulnerability processing by Qualys applications including Vulnerability Management.
`
`
`
`
`
`
`Bachwani Dep. Tr. at 47:23-48:13.
`
`1256. As illustrated below, the Qualys products include a receiver for receiving a
`
`Downloadable, which is indicated in the image below by reference to “switches,” which indicate
`
`receiving hardware or software.
`
`
`709
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 21 of 22
`
`FINJAN-QUALYS 043066.
`
`(i)
`
`Source Code
`
`
`
`1257. Qualys source code supports my infringement analysis:
`
` Scan.php (Qualys _SC_000358-000387) shows how the scanner functions and operates
`
`to include receiving a file and scanning the file. It "contains logic to launch scans for
`
`VM. It actually -- you can launch scans for PC too from here. . . . generally the scan is
`
`against our -- you know, the full set of vulnerability checks that we have." On
`
`completion of the scan the file "save[s] the report in the database." Mr. Bachwani was
`
`unsure whether this file also launches scans for WAS or creates scan results. Bachwani
`
`Dep. Tr. at 214:21-220:11 However, my analysis leads me to conclude that it does
`
`execute WAS scans as well.
`
`(ii)
`
`Testing
`
`1258. Product testing confirmed my conclusions from above.
`
`1259. Vulnerability Management includes a receiver for receiving an incoming
`
`Downloadable. The screenshots below from an exemplary Qualys VM scan report show that a
`
`710
`
`

`

`Case 4:18-cv-07229-YGR Document 195-11 Filed 05/10/21 Page 22 of 22
`
`1261. The foregoing are exemplary, and additional examples of infringing uses of the
`
`products may be included in my testing. FINJAN-QUALYS 761510-761573; FINJAN-
`
`QUALYS 761431-761479.
`
`(b) Web Application Scanning
`
`1262. Qualys Web Application Scanning meets the recited claim language because it
`
`includes a receiver for receiving an incoming Downloadable.
`
`1263. Qualys Web Application Scanning includes a receiver (e.g., WAS scanning
`
`engine) whereby Downloadables (e.g., executable application programs scanned by WAS in
`
`search of vulnerabilities) are received.
`
`1264. “Qualys Web Application Scanning (WAS) is a cloud-based service that provides
`
`automated crawling and testing of custom web applications to identify vulnerabilities including
`
`cross-site scripting (XSS) and SQL injection.” FINJAN-QUALYS 038140.
`
`1265. “Qualys WAS provides complete, accurate, and scalable web security and enables
`
`organizations to assess, track, and remediate web application vulnerabilities. Its capabilities are
`
`powered by the Qualys Cloud Platform.” FINJAN-QUALYS 038140.
`
`1266. Qualys identifies “deep scanning” capability of Web Application Scanning as a
`
`top-feature. “WAS’ dynamic deep scanning covers all apps and APIS on your perimeter, internal
`
`networks, and public cloud instances, and gives you instant visibility of vulnerabilities like SQLi
`
`and XSS.” WAS supports scanning of SOAP and REST API services, and tests IoT services and
`
`mobile app backends.
`
`FINJAN-QUALYS 038140.
`
`
`
`714
`
`