Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 1 of 60
`
`Exhibit 8
`
`REDACTED VERSION OF DOCUMENT
`SOUGHT TO BE SEALED
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 2 of 60
`Case 4:18—cv-07229-YGR Document 202—2 Filed 06/01/21 Page 2 of 60
`
`HIGHLY CONFIDENTIAL — ATTORNEYS EYES’ ONLY
`
`UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`OAKLAND DIVISION
`
`FDUAN LLC., a Delaware Limited
`
`Case No. 4: 18-cv-07229-YGR (TSH)
`
`Liability Company,
`
`Plaintiff,
`
`v.
`
`Hon. Yvonne Gonzalez Rogers
`
`QUALYS INC., 3 Delaware
`
`NIEDVIDOVIC, PH.D.
`
`Corporation,
`
`lHC—AEOl
`
`EXPERT REPORT OF NENAD
`
`Defendant.
`
`
`
`!
`.
`‘
`.
`Ill-(imita 76,912 ?
`
`Nenad Medvidovic, PHD.
`
`December 1, 2020
`
`\OOOQQU‘I-bMNr—I
`
`10
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`1
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4: 18-cv-07229-YGR (1"SH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 3 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Qualys’s Cloud Platform supports a product suite that offers a set of
`“core services”:
`
`
`
`FINJAN-QUALYS 043095 and 096.
` The Qualys products have three primary components: (1) the sensors
`that are used to obtain data; (2) the various applications Qualys provides that
`analyze this data, i.e., Qualys’s cloud based applications; and (3) the backend
`Qualys systems responsible for aggregating and storing data. I discuss each of these
`in more detail below.
` Qualys Scanner Appliances and Cloud Agents
` The Qualys Cloud Platform collects data regarding the network through
`the use of either scanners or cloud agents. Bachwani Tr. 46:12-47:12. A scanner is
`an appliance that used to collect data from endpoints and scan that data. Id.
` A scanner can be physical or virtual:
`27
`
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 4 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`By installing a scanner appliance within your network, you will have
`the ability to do vulnerability assessments for your entire network. We
`offer both physical appliances and virtual appliances for ease of
`integration with your network environment. The scanner appliance
`features a hardened OS kernel, is highly secure, and stores no data.
`Qualys Cloud Platform, Evaluator’s Guide (April 13, 2020) (available at
`https://www.qualys.com/docs/qualys-evaluators-guide.pdf) [FINJAN-QUALYS
`419671].
` A cloud agent is an application that is deployed on the endpoint itself,
`which is then also used to collect data from that endpoint. Bachwani Tr. 46:12-
`47:12; see also Cloud Agent, Getting Started Guide (available at
`https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf)
`[FINJAN-QUALYS 419160].
` There is no functional difference in physical and virtual scanners—both
`are devices in the network that are used to collect data. And both scanners and
`cloud agents collect the same data:
`
`Q. What is a scanner engine?
`MR. SMITH: I'll object as outside the scope of the notice topics, if
`this is a 30(b)(6) question.
`THE WITNESS: It's -- it's a physical or virtual appliance that can do
`vulnerability scans similar to what the cloud agent does.
`BY MR. LEE:
`Q. Are you aware of any difference between the scanner engine and
`the cloud agent?
`A. They generally collect the same data. And we do the same
`vulnerability analysis for -- it's just a different data collection
`mechanism. So in the case of the scanners, the scanners are
`connecting to the different endpoints and collecting the data. In the
`case of the cloud agent, the cloud agent is deployed on the endpoint
`itself and collecting the data.
`Bachwani Tr. 46:14-47:8; id. at 122:22-25.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`28
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 5 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` That is, just like the scanners collect data from endpoints and perform a
`vulnerability on that data (id.), Qualys’s cloud agents do the same:
`
`Q. What is the name of this code that runs on the system?
`A. That's called Qualys cloud agent.
`Q. How does Qualys cloud agent operate?
`A. That's a pretty broad question. Like what part of that would you
`like to know?
`Q. Well, you mentioned that the Qualys cloud agent runs on the client
`system?
`A. Yeah.
`Q. What does it do there?
`A. So on the client system, it looks at the files that are on the system
`that are installed by the customer, and the software that is installed,
`and collect the information about those files, and assess them for any
`issues or misconfigurations.
`Thakar Tr. 9:2-19 (referring to collecting data from endpoints and “assess[ing] them
`for any issues”); 11:16-12:2 (cloud agent collects the same type of information from
`cloud agents and a scanner appliance).
`
`Qualys uses a “scanning engine” to collect data for Vulnerability
`Management Policy Compliance, and related features. Kruse Tr. 7:24-
`8:12; Bachwani Tr. 119-16.
`
`The scanning engine for Vulnerability Management and Policy
`Compliance is “essentially the same”:
`
`Q What's the difference between the scanner engine for VM versus
`PC?
`MR. MAYS: Objection. Form.
`THE WITNESS: It's essentially the same scanner engine. It's the same
`code. It's just that the functionality is a little different between
`vulnerability management and policy compliance.
`Kruse Tr. 31:18-25.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`29
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 6 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` The scan data from this scanning engine is stored in an XML file.
`Kruse Tr. 35:2-25.
` Qualys’s scanning engine for the Vulnerability Features can parse web
`pages, such as HTML web pages. It does so, for example, by looking for patterns:
`
`Q Does the scanner engine -- strike that. Does the scanner engine ever
`parse HTML?
`A Yes.
`Q Can you describe how?
`A There are two ways. One way is sort of manually by looking for
`patterns. The other way, I'm not sure if we're still using it -- used to
`use it -- is there is a third-party library called libxml2. That library has
`a mode of operation in which it can be configured to parse HTML
`instead of XML.
`Q Does the scanner engine generate anything when it parses HTML?
`MR. MAYS: Objection. Form.
`THE WITNESS: Can you explain what you mean by "generate"? Are
`you talking about scan results or anything else?
`Q (By Mr. Lee) Correct. Scan results.
`A We perform -- well, we produce the Boolean result, saying you're
`vulnerable or you're not vulnerable based on the results of an HTTP
`detection running.
`Q Is there any kind of intermediary data structures generated in
`scanning?
`A Well, for HTTP parsing, the parsing itself generates the parsed data,
`obviously; but otherwise, I'm not aware of any other than trivial things
`like formatting a response using a printf-style formatter with fields.
`Q How is the parsed data represented?
`A Well, when we parse it manually, the parsed data is simply the
`matching section in the regular expression. With libxml2, it is the
`document returned by the library.
`Kruse Tr. 20:12-21:20.
` Based on Qualys documentation, Qualys appears to have been using
`libxml2 as of the following dates:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`30
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 7 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`51
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 8 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`52
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 9 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`53
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 10 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`b)
`Limitation 1[b]: “receiving, by a computer, an
`incoming stream of program code”
` The Qualys Cloud Platform satisfies this limitation. The Qualys Cloud
`Platform is for network security. See Qualys Cloud Platform Quick Tour (available
`at https://www.qualys.com/docs/qualys-quick-tour.pdf) [FINJAN-QUALYS
`419730]. The Qualys Cloud Platform retrieves data from Qualys sensors.
`Bachwani Tr. 28:20-29:4. The Qualys Cloud Platform scans this data and analyzes
`it for use with Qualys’s cloud based security tools. The data in the Qualys Cloud
`Platform is used to support all of the different Qualys products, which would include
`all of the Accused Features. Bachwani Tr. 31:16-22.
` At a high level, the Qualys Cloud Platform relies on different
`techniques for scanning content that results in the receipt, by a computer (the
`scanner engine of Qualys Cloud Platform used by the Vulnerability Features, the
`WAS scanner of the Qualys Cloud Platform, or the Qualys Cloud Platform working
`with a Cloud Agent), of different incoming streams of program code (e.g., the
`program code scanned by the Vulnerability Features and WAS). The program code
`can be in different formats (e.g., XML, HTML, JavaScript, Flash, PDF, DOCX, raw
`data from an endpoint, etc.), and thus, written in a plurality of programming
`languages.
`
`(1) Vulnerability Features
` As a first example of the Qualys Cloud Platform “receiving, by a
`computer, an incoming stream of program code,” the Qualys Cloud Platform uses a
`scanner engine for the Vulnerability Features that performs various network
`transactions and collects data from responses to those transactions. As stated above,
`all of the Vulnerability Features make use of the same scanner engine. See infra
`Section X.A. The response received by the scanner engine is “receiving, by a
`computer, an incoming stream of program code.”
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`66
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 11 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`67
`
`
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 12 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`68
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 13 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`69
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 14 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`79
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 15 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`80
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 16 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`81
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 17 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`84
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 18 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`handles many different types of services, and the source code and basic operation of
`the scanner do not change when adapting to different languages, it is a “generic
`scanner.” Thus, the scanner engine used with Vulnerability Features satisfies the
`limitation requiring “generating or requesting a generic scanner”:
`
`Q What other type of services or scans are performed other than
`discovery scans?
`A You mean what types of services we send requests to?
`Q Sure.
`A Many different. Hundreds of services.
`Q Is there any primary ones?
`A Well, primary ones are HTTP, HTTPS and the various services that
`provide us with authenticated access to a target. This includes SSH
`and SMB and the various database protocols.
`Kruse Tr. 14:2-12; see also id. at 16:22-17:8 (stating that scanner engine checks for
`vulnerabilities by interpreting responses received to initiated network transaction).
` Note that “in response to . . . determining” that the incoming stream is
`a particular programming language, the scanner engine uses particular logic for
`scanning (including logic specific to the programming language). The scanner
`engine used with Vulnerability Features relies upon selecting signatures in a
`signature repository and executing those signatures. The scanner engine determines
`the specific scanning logic to perform based on the vulnerability being checked. For
`example, “in response to [a] determin[ation]” that an HTTP vulnerability is being
`checked, the generic scanner engine uses HTTP specific logic (including HTTP
`specific parsing logic) from the signature repository:
`
`Q Can you elaborate, what do you mean by “the scripting engine that
`interfaces with vulnerability signatures”?
`A Vulnerability signatures are written in a certain style, and this style,
`this method has to be supported by the scanner engine. So there is code
`in the scanner engine that allows us to run signatures.
`Q What do you mean by “run signatures”?
`85
`
`
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 19 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`A Execute them.
`Q What do you mean by “execute them”?
`A Well, a signature has to perform its work; right? If a signature states
`that we're supposed to send an HTTP request and wait for a response
`and then look at the result, that has to be written in code; right? There
`has to be code that actually does that, that looks at the signature and
`then does what the signature expects the code to do.
`Q Can you provide a specific example?
`A Well, I just did; right? The signature can have an HTTP request in
`it and then the regular expression for an HTTP response. And in that
`case, the scanner engine would do that. It would look for the request,
`send the request, wait for the response, and match the response
`content.
`Q So you're saying it's the signature that does that? Not the scanner
`engine applying the signature?
`MR. MAYS: Objection. Misstates testimony.
`THE WITNESS: The signature is data. The scanner engine is code.
`So the code looks at the data and then executes the functionality.
`Kruse Tr. 46:31-48:4.
` The specific scanning logic to be used is “spread out across thousands
`of files,” and “depends” on what is being scanned:
`
`Q (By Mr. Lee) Can you identify the specific directories for generating
`scan results?
`A No, I cannot. And the reason for that is that the code to generate
`scan results is spread out across thousands of files which live in
`thousands of directories. Every module produces its own scan results
`and therefore has code for producing scan results.
`In addition to that, we have libraries, helper libraries used by modules
`which can also produce scan results. They have code to do that. On
`top of that, we have some hard-coded QIDs which are directly in the
`main engine, the ML scanner engine. There is formatting code there
`as well.
`Producing scan results is a low-level action inside of ML that occurs
`in so many different places. Basically think of it as just normal string
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`86
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 20 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`formatting, but you may be familiar with something like printf or scanf
`or so, but that’s what happens.
`(Reporter clarification.)
`THE WITNESS: Think of it as formatting, data formatting. So this is
`a generic activity which happens in program code in many, many
`places. It is not centralized in one location in the code.
`Q (By Mr. Lee) Can you identify the primary directories --
`MR. MAYS: Objection. Form.
`Q (By Mr. Lee) -- for generating scan results?
`MR. MAYS: Objection. Form.
`THE WITNESS: Again, each module has its own code. There is no
`primary. Primary would suggest that some modules do a lot of it and
`some do less. It depends on what the customer scans. If you scan
`Windows, it’s in one place. If you scan Unix, it’s in another place. If
`you scan a web service, yet another place. If it's an FTP server, it's
`somewhere else.
`There are literally at least hundreds, possibly over a thousand places
`where this takes place, depending on what you're scanning.
`Kruse Tr. 187:24-189:17.
` One such type of scanning based on signatures offered by the scanner
`engine used with Vulnerability Features is the ability to scan and parse the
`programming language used by the incoming data stream (such as HTML):
`
`Q Does the scanner engine -- strike that. Does the scanner engine ever
`parse HTML?
`A Yes.
`Kruse Tr. 20:12-14.
` Thus, the scanner engine used with Vulnerability Features “can scan
`the programming language” of the incoming data stream. For instance, the scanner
`engine used with Vulnerability Features looks for patterns in the HTML, thus it has
`“language-specific data, rules, or both”:
`
`Q Can you describe how [the parser engine parses HTML]?
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`87
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 21 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`A There are two ways. One way is sort of manually by looking for
`patterns. The other way, I'm not sure if we're still using it -- used to
`use it -- is there is a third-party library called libxml2. That library has
`a mode of operation in which it can be configured to parse HTML
`instead of XML.
`Kruse Tr. 20:15-22.
` When parsing HTML, the scanner engine used with Vulnerability
`Features searches for certain HTML tags, using regular expressing matching in the
`text stream. Mr. Kruse notes that the regular expression matching may even search
`for multiple tags:
`
`Q So using HTML as an example, can you provide an example how
`the parsed data would be represented if it's scanned by the scanner
`engine?
`A Well, the scanner engine would just be the tag that we're matching.
`So it would be a piece of text that encompasses the tag and possibly
`multiple tags that we -- that the regular expression matches as a text
`stream.
`Kruse Tr. 21:21-22:3
` The scanner engine used with Vulnerability Features therefore includes
`a “scanner comprising parser rules and analyzer rules for the specific programming
`language, wherein the parser rules define certain patterns in terms of tokens, tokens
`being lexical constructs for the specific programming language, and wherein the
`analyzer rules identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program code that are
`malicious.”
` As discussed above, the scanner engine used with Vulnerability
`Features determines which specific exploits to search for (for example, in the
`received HTML) using a database of signatures that Qualys refers to as Vulnsigs.
`See, e.g., QUALYS01943390 at QUALYS01943393 (“The "Vulnsigs" package
`contains vulnerability signatures”); see also QUALYS01059079 at
`QUALYS01059111 (discussing vulnerability scanning setups “Specify Vulnsigs
`88
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 22 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`version” that requires “For VM and PC testing, we always use LATEST, which
`points to daily Vulnsigs release. We have Vulnsigs release from Monday to
`Thursday.”).
` More specifically, the scanner engine used with Vulnerability Features
`searches for the indicators identified in Vulnsigs as an indicator of a potential
`vulnerability. The data from Vulnsigs is the claimed “analyzer rules,” which
`“identify certain combinations of tokens and patterns as being indicators of potential
`exploits, exploits being portions of program code that are malicious”:
`
`Q Can you describe how the signature team would look up the
`signature?
`A Well, we have files that contain the signatures, development files,
`and those files have that data. The signature team has access to them.
`That's what they work with.
`Q Is there a name for those type of files?
`A Called Vulnsigs files. That's V-U-L-N-S-I-G-S. Vulnsigs is our
`internal name for the vulnerability signature base.
`Kruse 59:22-60:6; see also 190:10-191:18.
` In addition, the Qualys Vulnerability Features leverage Qualys’s
`KnowledgeBase of known vulnerabilities. FINJAN-QUALYS 416092. “Qualys
`Vulnerability Management (VM) can identify known vulnerabilities in application
`software such as databases, web servers, and middleware in the same way that it
`does for OS vulnerabilities. Multiple signatures exist to identify weak encryption
`configuration for legacy protocols, along with signatures to identify applications no
`longer supported by the vendor (EOL).” QUALYS00289149. “KnowledgeBase
`includes more than 18,000 vulnerability signatures. Forty-five percent of the
`vulnerabilities tracked are designated the highest level of severity by their vendors
`in terms of potential destruction, complexity, and liability to customers' networks.
`Attacks that exploit vulnerabilities at these levels allow intruders to easily gain
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`89
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 23 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`control of the host, which may lead to compromising security of the entire network”
`FINJAN-QUALYS 037712.
` The scanner engine does not make a determination of vulnerability
`when scanning for the PC tool (Kruse Tr. 31:18-32:14), but the data collected by the
`scanner engine still includes “indicators of potential exploits.” For example, where
`a policy has determined that a password should be rotated every 90 days to avoid an
`exploit, one of the data points collected is the number of days that passwords are
`rotated:
`
`Q. What type of raw data points are gathered by policy compliance?
`A. Well, whichever is necessary for the individual policy. This is all
`policy-driven so the customer defines the policy. Very often these
`policies come from government regulations or industry regulations.
`So whatever data points they need is what we gather. So an example,
`for instance, if you need one, would be there may have to be a
`requirement to have a password policy, a rotation policy on a target
`system, to rotate passwords every 90 days, and the data point then
`would be the number of days that the computer system has configured
`for its password-protection policy.
`Kruse Tr. 32:15-33:4.
` Qualys advertises to customers that Policy Compliance tool helps
`identify exploits (“vulnerabilities and violations”) before they are hacked. E.g.,
`Securing Databases with Qualys Policy Compliance (available at
`https://blog.qualys.com/product-tech/2020/01/06/securing-databases-with-qualys-
`policy-compliance) [FINJAN-QUALYS 769015] (“Qualys Policy Compliance (PC)
`automates the labor-intensive process of checking settings and misconfigurations in
`your environment. It helps you identify vulnerabilities and violations before they get
`out of hand and makes remediation easy.”).
` Thus, the scanner engine used with Vulnerability Features uses logic to
`parse HTML using regular expression matching of tags (searching for lexical
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`90
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 24 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`constructs specific in HTML) to identify potential vulnerabilities (combinations of
`tags as an indicator of a potential exploit).
` Additionally, the Cloud Platform supporting the Vulnerability Features
`satisfies this limitation. The server associated with the Cloud Agent receives and
`interprets a JSON file containing the snapshot information. QUALYS01993472 at
`QUALYS01993551. In order to do so, the server associated with the Cloud Agent
`must parse the JSON using specific lexical constructs. A JSON file defines these
`specific constructs in a “definitions” field. Using the JSON information and any
`definitions available for the JSON tree, the server associated with the Cloud Agent
`can make use of a generic JSON parser and apply language specific rules to interpret
`the data from the Cloud Agent.
` The scanner used by the server associated with the Cloud Agent also
`makes use of the claimed “analyzer rules . . . wherein the analyzer rules identify
`certain combinations of tokens and patterns as being indicators of potential exploits,
`exploits being portions of program code that are malicious.” Specifically, the data
`collected from the Cloud Agent is associated with a “manifest.”
`QUALYS00347915 at QUALYS00347916. The manifest version is an example of
`“analyzer rules,” because it identifies the potential vulnerabilities:
`
`Asset Metadata Collected by Cloud Agent
`The Cloud Agent design differs from the Qualys Scanner approach in
`that the agent does not perform vulnerability management and policy
`compliance processing in the agent itself. Rather, the Cloud Agent
`simply collects metadata on certain files, processes, and registry keys
`to find installed software, configuration settings, and environmental
`variables and securely transmits the metadata to the Qualys Platform
`for processing on the platform. The specifications of what the agent
`collects are defined in a configuration file called a "manifest" that is
`dynamically generated on the platform and downloaded by the agent
`when new vulnerability management QIDs and policy compliance
`CIDs are created by the Qualys content teams.
`
`Id.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`91
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 25 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`
`
`99
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 26 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` 100
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 27 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` 102
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 28 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`stream, [a hierarchical structure of interconnected nodes built from scanned content]
`whose nodes represent tokens and patterns in accordance with the parser rules.”
` Qualys’s Cloud Platform satisfies this limitation a number of ways. At
`a high level (and as set forth above), the Qualys Cloud Platform receives an
`incoming stream of code, such as the scanned data for the scanner engine used with
`Vulnerability Features or the scanned XML, HTML, JavaScript, Flash, or other files
`used with the WAS scanner. The Qualys Cloud Platform builds a hierarchical data
`structure, such as XML, a variant of XML (e.g., JSON), or a proprietary data
`structure built from content for XML. Individual nodes in those data structures
`represent tokens and patterns identified by a parser (such as parsing the XML,
`HTML, JavaScript, or Flash using language specific parsing rules). The Qualys
`Cloud Platform builds the data structures immediately and while data is being
`received.
` As background, Qualys relies on maintaining information in the cloud
`(in fact, all of Qualys’s products are dependent upon data stored in Qualys’s Cloud
`Platform):
`
`Q. Can you identify which backend system you're referring to that has
`the Oracle database?
`A. So Qualys has a backend platform, and Oracle is one of the
`databases in the backend platform.
`Q. What do you mean by "backend platform"?
`A. The Qualys sensors that collect the data, they send the data up to
`the Qualys platform.
`Q. Is there a name for this backend platform?
`A. We call it the Qualys Cloud Platform.
`Bachwani Tr. 28:17-29:4.
`
`Q. Which other Qualys products used the backend cloud platform
`other than Vulnerability Management?
`MR. SMITH: Objection. Vague.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
` 103
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 29 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` 104
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 30 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` 107
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 31 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` 108
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 32 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`Q. Is there a name for this data structure?
`A. No. Well, typically these kinds of data structures are called arrays.
`Kruse Tr. 30:13-31:4
` Thus, the scanned and parsed content stored in the memory is an
`example of a hierarchical structure of interconnected nodes built from scanned
`content (i.e., a “parse tree”).
` The XML file rendered from the scan results is also an example of a
`“parse tree.” The XML file is rendered in a form that is compatible with scan-1.dtd.
`See C:\code\QWEB\qweb\msp\scan.php [QUALYS_SC_000358-387] at line 7; see
`also Bachwani Tr. 216:8-217:7; Vulnerability Scan Results in XML
`[QUALYS00878883]. An XML file in that format is hierarchical in nature. For
`example, QUALYS00878883 depicts a recent “scan-1.dtd.” Thus, the XML file of
`results created by the scanning engine is also a hierarchical structure of
`interconnected nodes built from scanned content.
` Thus, the output of the scanner engine is communicated to the Qualys
`backend systems in XML format that is another example of the claimed “parse tree”
`as construed.
` The scanning engine generates output during the scanning process.
`According to Qualys engineer, Mr. Kruse, the scan results are built “immediately”
`upon parsing input:
`
`Q Is there some type of file that holds the parsed data?
`A No, there isn't. The data is immediately processed and used in the
`generation of the scan result.:
`Kruse Tr. 22:4-8.
` Thus, the scan results (which includes the array and the resulting XML
`output) is “dynamically buil[t], by the computer while said receiving receives the
`incoming stream.”
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
` 109
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 202-2 Filed 06/01/21 Page 33 of 60
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Further evidence that the scan results are built while the scanning is
`occurring (and thus, while scanner engine used with the Vulnerability Features is
`receiving an incoming stream of data) is the use of “parallelization.” Qualys’s
`Vulnerability Features support parallelization, which allows scans to be run in
`parall