`Case 4:18-cv-07229—YGR Document 195-9 Filed 05/10/21 Page 1 of 53
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 4
`
`EXHIBIT 4
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 2 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`OAKLAND DIVISION
`
`FINJAN LLC., a Delaware Limited
`
`Case No. 4:18-cv-07229-YGR (TSH)
`
`Liability Company,
`
`Plaintiff,
`
`v.
`
`QUALYS INC., a Delaware
`
`Corporation,
`
`Defendant.
`
`Hon. Yvonne Gonzalez Rogers
`
`EXPERT REPORT OF NENAD
`
`MEDVIDOVIĆ, PH.D.
`[HC-AEO]
`
`______________________
`Nenad Medvidovic, PH.D.
`December 1, 2020
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`1
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 3 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Viruses and Malware
` Viruses and malware are harmful programs (or program fragments) that
`are downloaded or transferred by recordable media (i.e., floppy disk or USB flash
`drive) and installed on a user computer, often without their knowledge. The
`behavior of a virus or malware ranges from simply making a copy of itself, to
`annoying the user with strange computer problems, to invading the user’s privacy by
`stealing sensitive personal or private information, to using the user’s computer as a
`platform to attack other computers (as in denial-of-service attacks).
` Once successfully installed on a target system, many viruses and
`malware programs will attempt to communicate with the person who deployed them
`by sending messages to that person indicating that they have been successfully
`deployed. Such messages come in many forms, and are often referred to as a
`“beacon.” The messages may also be inserted into messages that a server sends out.
`Some viruses and malware, once deployed, will “exfiltrate” data from the targeted
`system to their user. Others all the user to gain access to the infected system, such
`as through a remote command shell interface that allows the user to perform actions
`within the system and to “pivot” to gain access to other servers and computers
`within the network.
` To prevent these harmful programs from infecting a user’s computer,
`anti-malware tools can be installed and executed on a security gateway. For
`example, a security tool in a security gateway may intercept a virus or malware
`before it reaches the user’s computer.
` Traditionally, an anti-virus software program compares a representation
`of the malware to the malware itself. This representation is often formed based on a
`pattern of bytes in the computer code that is unique to the virus program, and is
`called a “signature.” For example, a signature could be the bytes “08 201 251 A T
`M.” This six-byte sequence (three integers and three ASCII characters) may be
`present in a virus program but not observed in any other benign program (such as,
`21
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 4 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`Microsoft Word). Therefore, by looking for this string, one might identify the
`malware, without the risk of flagging benign programs as malicious.
` A traditional anti-virus software program maintains a list of such
`signatures, one for each malicious program that it can detect, and may be installed
`on the security gateway. In this case, the anti-virus program looks for a particular
`set of bytes in the representation of the code, and takes action based on whether or
`not a match has been found. For example, a security gateway that identifies a mail
`attachment as a virus may discard the message and notify the client that the message
`was designed to damage the computer.
` These signature-based approaches suffer from a number of problems.
`First, the approaches only detect malware after the fact. These approaches do not
`identify or block the vulnerabilities that were exploited to introduce the malware
`into the system in the first place. Such vulnerabilities can often be exploited to
`introduce any number of malware programs into a system until they are remediated.
` Additionally, if a new malware threat is created, the anti-virus program
`will not have a signature that detects this new malware until its list of signatures is
`updated to include an identification of the new malware threat. During the period
`between updates, the user is vulnerable to an infection until a signature is created
`and distributed to the anti-virus tool. Therefore, this approach can only identify
`previously known malware samples for which a signature has been developed and
`added to the list of signatures. As the number of malware programs grows, the list
`of signatures will also grow. Therefore, signature-based approaches are difficult to
`manage (e.g., distributing large lists of signatures becomes complicated) and slow
`(looking for all the signatures in every file downloaded can take a long time). In the
`computer industry, using virus signatures to check files for viruses is called a
`reactive technology, because the system has to be informed of a new malware
`program in order to protect against a virus program infection. The bottom line is that
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`22
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 5 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`signature-based anti-virus tools are only effective after a virus has been identified
`and, therefore, after it has done its harm.
` An alternative, more proactive, approach is to identify and close
`vulnerabilities before malware is event introduced into a system. Because a large,
`complex system often has many potential points of access it can have a large
`number of potential vulnerabilities. It is important then to prioritize which potential
`vulnerabilities are most likely to actually permit malware into the system, so that the
`network operator can prioritize using the limited available resources to remediating
`the most pressing vulnerabilities. One way to prioritize potential vulnerabilities is to
`use a penetration testing tool that attempts to exploit potential vulnerabilities. When
`a potential vulnerability is successfully exploited by the penetration testing tool,
`then the vulnerability is validated and can be prioritized.
` To understand how behavior might be leveraged in order to detect
`viruses and malware, consider a scenario where a user inadvertently attempts to
`download a malware program via an HTTP request. The security gateway intercepts
`the program or webpage before it reaches the user’s computer. The content of this
`malware program is then analyzed to determine which operations might be
`performed. This analysis can be performed by analyzing the file itself to look at
`operations within the file. These operations can then compared to a security policy
`to determine whether the operations might signal malicious behavior. If the
`malware program is detected, the security gateway can block the program from ever
`reaching the user’s computer.
` Vulnerability Management
` Vulnerability management refers to the concept within the computer
`security field of identifying and remediating vulnerabilities. A vulnerability is a
`weakness in security that is subject to being exploited, which is when malicious
`software or a bad actor uses to vulnerability to harm or attack a computer or
`network. To illustrate the concept by analogy to a non-computer context, a
`23
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 6 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Databases
` A typical database file is used to store data in a structured manner.
`This data is later retrieved from the database file and used by application programs.
`Databases are used in security to hold information about security threats,
`vulnerabilities and files that are analyzed, as well as rules that are used to analyze
`files. The cloud also uses large databases to hold more information about a file for
`security purposes and to help security companies analyze a large sampling of files.
`On premise devices as well as other devices in the cloud can check databases in the
`cloud for security decisions on files that are being analyzed on premise or in the
`cloud.
`VII. Qualys’s Products
`
`I understand that Finjan contends that the following products infringe
`the ’408 patent: Web Application Scanning (WAS); Vulnerability Management
`(VM) (including as used in VMDR); Continuous Monitoring (CM);
`ThreatPROTECT (TP); and Policy Compliance (PC) (VM, CM, TP and PC are
`referred to herein as the “Vulnerability Features;” WAS and the Vulnerability
`Features are referred to collectively as the “Accused Products” or “Accused
`Features”).
` As explained more fully below, Qualys also provides Cloud Agent
`(CA) technology and Qualys Scanner Appliance and Virtual Appliance to collect
`data for the Accused Products.
` At a high level, Qualys provides a cloud based platform for network
`
`security:
`
`The Qualys Cloud Platform is a platform of integrated solutions that
`provides businesses with asset discovery, network security, web
`application security, threat protection and compliance monitoring. It’s
`all in the cloud - simply log into your account from any web browser
`to get everything you need to secure all of your IT assets.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`25
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 7 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`Qualys Cloud Platform Quick Tour (available at
`https://www.qualys.com/docs/qualys-quick-tour.pdf) [FINJAN-QUALYS 419730].
` Qualys Cloud Platform was previously known as QualysGuard. It is a
`cloud-based architecture that “constantly collects, assesses and correlates asset and
`vulnerability information across customers’ cloud instances, on-premises systems
`and mobile endpoints, giving them a real-time, holistic view of their threat
`landscape and helping them prioritize their security and compliance remediation.”
`QUALYS00275578-0027579; see also QUALYS00112182.
` The Qualys Cloud Platform includes a “highly-scalable cloud
`architecture and modular security and compliance solutions [that] allow customers
`of all sizes, across many industries to access the functionality to help ensure the
`security of their IT infrastructures. [Qualys’] cloud platform serves organizations
`ranging from small businesses to globally distributed enterprises with millions of
`networked devices and applications.” FINJAN-QUALYS 043409-043420.
` Qualys markets and employs a variety of technologies to enable Qualys
`Cloud Platform—its “centrally managed cloud architecture [which is] anchored by
`[the] robust back-end threat analysis engine and powered by an integrated suite of
`security and compliance” applications and other technologies included in the
`Accused Products. QUALYS00275578-0027579.
` Qualys Cloud Platform stores data from Qualys sensors. Bachwani Tr.
`28:20-29:4. The data in the Qualys Cloud Platform is used to support all of the
`different Qualys products:
`
`Q. Which other Qualys products used the backend cloud platform
`other than Vulnerability Management?
`MR. SMITH: Objection. Vague.
`THE WITNESS: So, generally, the Qualys Cloud Platform supports
`all the products that we have.
`Bachwani Tr. 31:16-22.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`26
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 8 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Qualys’s Cloud Platform supports a product suite that offers a set of
`“core services”:
`
`
`
`FINJAN-QUALYS 043095 and 096.
` The Qualys products have three primary components: (1) the sensors
`that are used to obtain data; (2) the various applications Qualys provides that
`analyze this data, i.e., Qualys’s cloud based applications; and (3) the backend
`Qualys systems responsible for aggregating and storing data. I discuss each of these
`in more detail below.
` Qualys Scanner Appliances and Cloud Agents
` The Qualys Cloud Platform collects data regarding the network through
`the use of either scanners or cloud agents. Bachwani Tr. 46:12-47:12. A scanner is
`an appliance that used to collect data from endpoints and scan that data. Id.
` A scanner can be physical or virtual:
`27
`
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 9 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`By installing a scanner appliance within your network, you will have
`the ability to do vulnerability assessments for your entire network. We
`offer both physical appliances and virtual appliances for ease of
`integration with your network environment. The scanner appliance
`features a hardened OS kernel, is highly secure, and stores no data.
`Qualys Cloud Platform, Evaluator’s Guide (April 13, 2020) (available at
`https://www.qualys.com/docs/qualys-evaluators-guide.pdf) [FINJAN-QUALYS
`419671].
` A cloud agent is an application that is deployed on the endpoint itself,
`which is then also used to collect data from that endpoint. Bachwani Tr. 46:12-
`47:12; see also Cloud Agent, Getting Started Guide (available at
`https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf)
`[FINJAN-QUALYS 419160].
` There is no functional difference in physical and virtual scanners—both
`are devices in the network that are used to collect data. And both scanners and
`cloud agents collect the same data:
`
`Q. What is a scanner engine?
`MR. SMITH: I'll object as outside the scope of the notice topics, if
`this is a 30(b)(6) question.
`THE WITNESS: It's -- it's a physical or virtual appliance that can do
`vulnerability scans similar to what the cloud agent does.
`BY MR. LEE:
`Q. Are you aware of any difference between the scanner engine and
`the cloud agent?
`A. They generally collect the same data. And we do the same
`vulnerability analysis for -- it's just a different data collection
`mechanism. So in the case of the scanners, the scanners are
`connecting to the different endpoints and collecting the data. In the
`case of the cloud agent, the cloud agent is deployed on the endpoint
`itself and collecting the data.
`Bachwani Tr. 46:14-47:8; id. at 122:22-25.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`28
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 10 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` That is, just like the scanners collect data from endpoints and perform a
`vulnerability on that data (id.), Qualys’s cloud agents do the same:
`
`Q. What is the name of this code that runs on the system?
`A. That's called Qualys cloud agent.
`Q. How does Qualys cloud agent operate?
`A. That's a pretty broad question. Like what part of that would you
`like to know?
`Q. Well, you mentioned that the Qualys cloud agent runs on the client
`system?
`A. Yeah.
`Q. What does it do there?
`A. So on the client system, it looks at the files that are on the system
`that are installed by the customer, and the software that is installed,
`and collect the information about those files, and assess them for any
`issues or misconfigurations.
`Thakar Tr. 9:2-19 (referring to collecting data from endpoints and “assess[ing] them
`for any issues”); 11:16-12:2 (cloud agent collects the same type of information from
`cloud agents and a scanner appliance).
`
`Qualys uses a “scanning engine” to collect data for Vulnerability
`Management Policy Compliance, and related features. Kruse Tr. 7:24-
`8:12; Bachwani Tr. 119-16.
`
`The scanning engine for Vulnerability Management and Policy
`Compliance is “essentially the same”:
`
`Q What's the difference between the scanner engine for VM versus
`PC?
`MR. MAYS: Objection. Form.
`THE WITNESS: It's essentially the same scanner engine. It's the same
`code. It's just that the functionality is a little different between
`vulnerability management and policy compliance.
`Kruse Tr. 31:18-25.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`29
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 11 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` The scan data from this scanning engine is stored in an XML file.
`Kruse Tr. 35:2-25.
` Qualys’s scanning engine for the Vulnerability Features can parse web
`pages, such as HTML web pages. It does so, for example, by looking for patterns:
`
`Q Does the scanner engine -- strike that. Does the scanner engine ever
`parse HTML?
`A Yes.
`Q Can you describe how?
`A There are two ways. One way is sort of manually by looking for
`patterns. The other way, I'm not sure if we're still using it -- used to
`use it -- is there is a third-party library called libxml2. That library has
`a mode of operation in which it can be configured to parse HTML
`instead of XML.
`Q Does the scanner engine generate anything when it parses HTML?
`MR. MAYS: Objection. Form.
`THE WITNESS: Can you explain what you mean by "generate"? Are
`you talking about scan results or anything else?
`Q (By Mr. Lee) Correct. Scan results.
`A We perform -- well, we produce the Boolean result, saying you're
`vulnerable or you're not vulnerable based on the results of an HTTP
`detection running.
`Q Is there any kind of intermediary data structures generated in
`scanning?
`A Well, for HTTP parsing, the parsing itself generates the parsed data,
`obviously; but otherwise, I'm not aware of any other than trivial things
`like formatting a response using a printf-style formatter with fields.
`Q How is the parsed data represented?
`A Well, when we parse it manually, the parsed data is simply the
`matching section in the regular expression. With libxml2, it is the
`document returned by the library.
`Kruse Tr. 20:12-21:20.
` Based on Qualys documentation, Qualys appears to have been using
`libxml2 as of the following dates:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`30
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 12 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`FINJAN-QUALYS
`416793
`
`Relevance
`Date
`Bates #
`QUALYS00257618 Dec. 27, 2016 Email referring to the use of libxml2
`FINJAN-QUALYS
`May 3, 2017 Qualys shows user questions regarding
`761791
`libxml2. See Libxml2 QID's - False
`Positives (available at https://qualys-
`secure.force.com/discussions/s/question/
`0D52L00004TnvxcSAB/libxml2-qids-
`false-positives)
`May 11, 2017 Qualys documentation shows the use of
`libxml2. See Cloud Platform 8.10 API
`Release Notes at 106 (available at
`https://www.qualys.com/docs/release-
`notes/qualys-cloud-suite-8.10-api-release-
`notes.pdf) (referring to libxml2 with VM)
`QUALYS00276198 June 22, 2017 Summary of vulnerabilities report referring
`to use of libxml2
`Qualys’s 2019 documentation refers to a
`license for using libxml2. See Qualys®
`Scanner Appliance
`Software Credits (available at
`https://www.qualys.com/docs/qualys-
`software-credits-scanner-appliance.pdf).
`The document lists a 2019 copyright date
`and its metadata shows a 2019
`modification date.
` Qualys’s scanning engine for the Vulnerability Features has two types
`of parsers: a manual parser that is based on regular expressions, and a third party
`parser:
`
`QUALYS00034431 2019
`
`Q What do you mean by "manually scanned"?
`A Well, manually parsed. As I explained, that are two different types
`of parses. There is libxml2 and there is manual parsing based on the
`regular expression.
`Q Can you explain the difference?
`A Well, libxml2 is a library that has an industrial parser that is -- it's a
`third-party component integrating with.
`Our manual parser uses perl-compatible regular expressions. PCRE.
`If you're familiar with it, libprce.
`
`
`
`31
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 13 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`Q Why do you have two different kinds of parsers?
`A Because we have different use cases. In many use cases, all we care
`about is a particular piece of data coming back from the target, and
`that's the majority of cases. So it doesn't make sense for us to parse the
`whole file and consume the memory and CPU time needed for doing
`that.
`Kruse Tr. at 22:9-23:3.
` After the scanner engine for the Vulnerability Features parses data, it
`“immediately” processes the data:
`
`Q Is there some type of file that holds the parsed data?
`A No, there isn't. The data is immediately processed and used in the
`generation of the scan result.
`Kruse Tr. 20:12-21:20.
` Qualys’s Cloud Based Applications
` Qualys provides the below overview of its Cloud Based Applications:
`
`QUALYS00257792 at 795.
` Qualys provides the below overview of its cloud based offerings:
`
`
`
`[Qualys] has built a comprehensive suite of security and compliance
`Cloud Apps that stands currently at 18 apps and continues to grow.
`The Cloud Apps are self-updating, centrally managed and tightly
`integrated, and cover a broad swath of functionality in areas such as
`32
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 14 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`A No, it's not. This is an historic name. As I said, in the very early
`days, the WAS engine was inside of ML; and back then, the whole
`WAS functionality was in ML in this one module, and then this was
`changed. The WAS team was spun out into its own development team,
`and they developed -- they maintained their own code base, and then
`the architecture was changed so that the actual scan now runs in WAS
`and the webcrawl module has maintained its previous name, but it's
`only used for communication now.
`...
`Q What exactly is communicated by the webcrawl module?
`MR. MAYS: Objection. Outside the scope.
`THE WITNESS: Data from ML to WAS. It's just the start-up.
`Basically indicating how the scan was launched. URL. It's another
`metadata like that. And the flow in the opposite direction is the results
`that the WAS engine wants to return back to the data center.
`Kruse Tr. 130:24-131:23.
` “Vulnsigs” is a signature repository for known vulnerabilities. Kruse
`Tr. 59:22-60:6; id. at 135:10-17. Vulnsigs is also used by Vulnerability Management
`and Policy Compliance. Id.
` Qualys documentation refers to using a “web crawler” that
`“automatically balances the web site crawling to follow links down the web site
`branch (number of clicks) and across the branch (links at the same level), and tracks
`unique links that have already been crawled.” QUALYS00278827 at
`QUALYS00278828.
`5.
`Policy Compliance
` Qualys Policy Compliance (PC) is “a cloud service that performs
`automated security configuration assessments on your IT systems, whether they’re
`on-premises, remote, or in the cloud. It helps you to reduce risk and continuously
`comply with internal policies and external regulations.” FINJAN-QUALYS
`421276.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
` Policy Compliance checks for compliance with organization policies
`(e.g., password lengths):
`
`
`
`43
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 15 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Qualys’s Database and Backend Systems
` The Qualys cloud applications depend on various backend systems.
`For example, Qualys uses an Oracle database to store information for Vulnerability
`Management:
`
`Q. Which database is used to store the output for VM?
`A. The Oracle database.
`Q. Can you describe how the output is stored in the Oracle database?
`A. I don't have the specifics on that. But, generally, it would basically
`identify the asset, the endpoint, and what vulnerabilities the scan
`found on the endpoint. And that would be normalized across a set of
`tables and stored in the tables.
`Bachwani Tr. 48:14-24.
` For example, Qualys KnowledgeBase is a repository of “known
`vulnerabilities and compliance controls for a wide range of devices, technologies
`and applications to power our security and compliance technology. The
`KnowledgeBase is dynamically updated with information on new vulnerabilities,
`control checks, validated fixes and content refinements on an ongoing basis.”
`FINJAN-QUALYS 043409 at 420.
` Qualys documentation states that the KnowledgeBase is “the largest
`and most up-to-date vulnerability signature database in the security industry
`referenced to the [Common Vulnerabilities and Exposures (CVE)] standard. The
`Qualys Vulnerability Research team provides daily updates to the Qualys
`KnowledgeBase at an average of 25 vulnerability signature updates per week. The
`discovery of new vulnerabilities and remedies are collected through internal
`research, commercial relationships and online sources.” FINJAN-QUALYS
`037712.
`VIII. Testing Overview
` As part of my analysis, I viewed and coordinated testing of the Qualys
`Cloud Platform, including various features such as Vulnerability Management
`45
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 16 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Qualys’s “Knowledge Base” of security issues and vulnerabilities is
`incorporated into each of the infringing products.2 According to Qualys, this
`knowledge base is updated “with multiple vulnerability checks each day, as new
`vulnerabilities emerge.”3 Qualys updates new vulnerability signatures into the
`database “as soon as these signatures pass rigorous testing in the Qualys Quality
`Assurance Lab.”4 This process uses historical scans performed by other customers
`using the Qualys infringing products as a starting point for identifying “zero-day”
`and other vulnerabilities. See, e.g., Kruse Dep. Tr. 75–77. I understand that about
`64% percent of Qualys’s revenues are from the United States.5 Additionally, Qualys
`itself is a U.S. company. When an overseas customer uses one of the infringing
`products, it benefits from the introduction of new signatures and other details into
`the Knowledge Base; those new signatures and other elements were derived in
`principal part from U.S.-based past use of the infringing product, uses that are
`infringing for the reasons stated above. Without the regular updates—most of
`which were from the U.S., and thus were the product of infringement—the Accused
`Products would have little value either overseas or domestically. It is thus my
`opinion that overseas use of the accused products both benefits from and requires
`infringement domestically.
` Further, several of the infringed claims are computer-readable medium
`claims. I understand that Qualys conducts research and development activities in
`
`
`2 See
`https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/knowledgebase/knowl
`edgebase_lp.htm [QUALYS00878802]
`3 https://www.qualys.com/support/faq/general/ [FINJAN-QUALYS 768800]
`4 Id.
`5 Qualys 10-K (2019) at 85.
`
`
`
`57
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 17 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`b)
`Limitation 1[b]: “receiving, by a computer, an
`incoming stream of program code”
` The Qualys Cloud Platform satisfies this limitation. The Qualys Cloud
`Platform is for network security. See Qualys Cloud Platform Quick Tour (available
`at https://www.qualys.com/docs/qualys-quick-tour.pdf) [FINJAN-QUALYS
`419730]. The Qualys Cloud Platform retrieves data from Qualys sensors.
`Bachwani Tr. 28:20-29:4. The Qualys Cloud Platform scans this data and analyzes
`it for use with Qualys’s cloud based security tools. The data in the Qualys Cloud
`Platform is used to support all of the different Qualys products, which would include
`all of the Accused Features. Bachwani Tr. 31:16-22.
` At a high level, the Qualys Cloud Platform relies on different
`techniques for scanning content that results in the receipt, by a computer (the
`scanner engine of Qualys Cloud Platform used by the Vulnerability Features, the
`WAS scanner of the Qualys Cloud Platform, or the Qualys Cloud Platform working
`with a Cloud Agent), of different incoming streams of program code (e.g., the
`program code scanned by the Vulnerability Features and WAS). The program code
`can be in different formats (e.g., XML, HTML, JavaScript, Flash, PDF, DOCX, raw
`data from an endpoint, etc.), and thus, written in a plurality of programming
`languages.
`
`(1) Vulnerability Features
` As a first example of the Qualys Cloud Platform “receiving, by a
`computer, an incoming stream of program code,” the Qualys Cloud Platform uses a
`scanner engine for the Vulnerability Features that performs various network
`transactions and collects data from responses to those transactions. As stated above,
`all of the Vulnerability Features make use of the same scanner engine. See infra
`Section X.A. The response received by the scanner engine is “receiving, by a
`computer, an incoming stream of program code.”
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`66
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 195-9 Filed 05/10/21 Page 18 of 53
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`THE WITNESS: During the VM scan, the vulnerability management
`scan.
`Kruse Tr. 27:12-23.
` Additionally, the Vulnerability Features can also use a cloud agent to
`collect data. Kruse Tr. 109:2-10. A cloud agent collects generally the same data as
`a scanner. See, e.g., Thakar Tr. 9:2-19; 11:16-12:2 (cloud agent collects the same
`type of information from cloud agents and a scanner appliance). Also, a cloud agent
`can retrieve “metadata on certain files, processes, and registry keys” from an
`endpoint. QUALYS00347915 at 916-917.
` Thus, in this example of the Vulnerability Features, the Qualys Cloud
`Platform includes a “computer,” such as the scanner engine, and the collected data
`by that scanner engine, such as HTML received in response to network transaction
`or data received in response to a webcrawl, is an “incoming stream of program
`code.” The Vulnerability Features of the Qualys Cloud Platform also includes a
`Cloud Agent that receives data from an end point. Bachwani Tr. 46:12-47:12; see
`also Cloud Agent, Getting Started Guide (available at
`https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf)
`[FINJAN-QUALYS 419160]. The Cloud Agent provides that collected information
`to a server associated with the Cloud Agent. See, e.g., QUALYS01993472 at
`QUALYS01993971 (describing the general workflow for the Cloud Agent, which
`includes uploading scanned data, i.e., a “snapshot”, to server associated with the
`Cloud Agent).
`
`(2) WAS
` As a second example, the Qualys Cloud Platform “receiv[es], by a
`computer, an incoming stream of program code” through the collection of data from
`WAS scanners. WAS scanners scan a website—unauthenticated pages in
`particular—and c