Categories
Audit Case Study

How Lyra Helped An Embedded GPS & Map Tracking Company With M&A Audits.

Introduction

Our client is an upcoming, on-demand transportation and ride-sharing mobile technology company based in Singapore. They mainly deal with GPS & Map tracking solutions but they also have several other products in their portfolio. They are very popular in Southeast Asia and operate in countries of Indonesia, Malaysia, Myanmar, Philippines, and Vietnam.

The company connects millions of consumers to millions of drivers, merchants, and businesses. They are currently taking on the largest problems that affect the region, from inequality, outdated infrastructure, to income disparity. Many Southeast Asian people face everyday limitations like traffic congestion and lack of public infrastructure. And so their app tries to solve everyday challenges to make life easier.

Background & Challenge

A few years ago, we engaged with this client to further our discussions on the open-source compliance front and the impacts of security vulnerabilities in the code. We were constantly in touch with the client and educating them for a year and a half concerning open source audits and compliance. Since the client’s company was mainly into GPS & Maps tracking, they got white-labeled and associated with OEM contracts with a few Tier 1 companies in the SEA region. Their maps were now embedded in top Tier 1 companies.

A few years after the initial engagement, the client had a requirement of conducting open-source audits. Through our steady relationship over the years, they were convinced by our capabilities and the vast amount of open-source audits Lyra has carried out for organizations big and small. They approached us for help with their Open Source Audits. They chose Lyra over others since we helped them and carried out a strong relationship with them ever since they were an early-stage start-up.

Usually, start-up developers take code either from the internet or from readily available repositories to build a product. Once the product was created and after a successful proof of concept, the client’s product got embedded in a couple of Tier 1’s. Due to the product’s wide range of features and capabilities, they further got engaged with a global Tier supplier in the automotive space. This Tier 1 supplier was now interested in acquiring the client’s company. This is when the client approached Lyra to help them in Open Source Audits concerning Mergers and Acquisitions.

The Solution

With the codebase we received from the client, we first performed an open source audit to identify and map out the open-source components with the help of the enterprise solution for code scans. We used a wide variety of techniques to ferret out unknown open source. In most cases, our enterprise tool definitively identifies open source components, but sometimes, due to limited information in the code, they just provide clues for our expert auditors to analyze it even further. Our OSS auditors were tasked with identifying the list of associated licenses for those open source components. We were now able to then draw a list of components with OSS license compliance conflicts. We then analyzed and categorized these licenses under low, medium, and high risk. Once this was done, we shared the lists of components which had legal issues and license conflicts to the client and submitted an open source audit report for remediation of these issues.

As per the agreed timeline of 2 weeks to fix and remediate the license conflicts, the client came back to us within a week itself due to the urgency of getting things done quickly. After the remediation, we then did a final delta audit scan on the code to check and verify the fixes done by the client’s teams.

The Impact

Usually, the life cycle for conducting an Open Source Audit lasts for 1 month but due to the urgency and significant time pressure for this M&A audit transaction, we at Lyra went far ahead in delighting our clients by completing it in just 5 days. Our open-source auditors worked around the clock to get the job done.  Our vast experience and reputation in the field of audits, has enabled us to amaze our clients frequently with our responsiveness even when we are called in at the Nth hour.

Once we verified the issues remediated, we submitted a final open-source compliance report. Our client then shared this report with the global Tier 1 supplier in the auto space. As a virtue of this compliance report, our client was successfully acquired for a good valuation.

Interested in Open Source Audits for M&A transactions and remediation of legal and OSS compliance issues? Contact us at sales@lyrainfo.com

Related Post
SMART Dashcam with Advanced ADAS Capability

Introduction: SMART Automotive Dash Cam  A dashcam or dashboard camera is a recording device typically attached to the interior windscreen Read more

SMART Warehousing

SMART WarehousingAI driven using NBIoT with LTE connected RFID Readers Introduction - RFID RFID is a widespread remote identification sensing Read more

OSS Compliance Report to Secure Series Funding

Introduction Our client is India's largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. They are Read more

Mitigating OSS Security Vulnerabilities to Stay Compliant

Introduction The client in question is India's largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. Read more

Categories
Audit Case Study

Mitigating OSS Security Vulnerabilities to Stay Compliant

Introduction

The client in question is India’s largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. They are headquartered in Bengaluru. They are the one stop shop for all footwear, clothing, accessories, cosmetics and lifestyle products for both women & men featuring over 500 leading Indian and international brands. They aim to provide a hassle free and enjoyable shopping experience to shoppers across the country with the widest range of brands and products on their site. The brand is making a conscious effort to bring the power of fashion to shoppers with an array of the latest and trendiest products available in the country.

The Challenge

Today with numerous open source components available for developers to leverage on and build innovative products, most companies face the challenge of identifying what open source components are used, how to manage these open source components in their codebase and the security risks associated with them. Companies do not want to be in a situation where they are prone to hacker attacks and data breaches. At the same time for the usage of open source components,they do not want to face any copyright conjunctions from the code author. This is one of the reasons organizations go for open source audits.

The client’s main development headquarters centre housed many individual teams working on different areas of development of the e-commerce site. Each development business unit comprised many levels of subteams and each of these subteams worked on many repos and projects. With years of experience in conducting open source audits, the client approached Lyra to help them perform an open source audit on their code dumps. They wanted to address the challenge of whether their code was compliant with OSS policies and also check if the code is free from open source security vulnerabilities for the dependencies used.

The Solution

Combining a decade of Lyra’s open source audits expertise and the enterprise solution for code scans and finding security vulnerabilities, we first performed an open source audit with a total code size of close to 80 GB. We scanned the code to find the amount of open source code in the code base. Knowing the amount of open source code and creating a software inventory we analyzed the components for potential threats and known security vulnerabilities. We also checked if the code was compliant with open source policies or not. We created Jira tickets for all the issues we encountered with the respective client’s dev teams. As mentioned above, the total code size of 80GB was split up between individual development teams and multiple repos. Once the initial audit was done, we helped the client with sharing of first level individual and consolidated master reports for both FOSS Compliance and security vulnerabilities.

The Impact

In addition to the above,we created individual reports team wise, project wise and for the top level management to get a sense of the OS audit report. We made it so easy for team heads and repo heads to understand how many issues and problems were there in their respective teams as well as potential threats in individual repos or projects. Now, the top level management were able to get a very high level overview of the audit report. Once individual teams received info on the issues, we shared a master global combination of all the reports highlighting everything right from all the teams to repos and sub level projects.

Reports were further detailed and split for both FOSS Compliance and Security Vulnerabilities. Not only that, we even went ahead and shared a complete Dashboard view for top level management like VP, CTO to understand the number of issues, ones with high level, medium and low risk, how to remediate those issues, coordinate with app sec teams and the timeline for remediation.

Insights from the Codescans and Audits:

With respect to priority projects, from one of the code scans of a particular team’s code which was close to 1 Gigabyte of code to check for FOSS Compliance, we were able to find 28 P1 (high risk) and 29 P2 (medium risk) issues which needed immediate attention. With respect to finding security vulnerabilities for potential threats, we found 113 P1 (high risk) and 42 P2 (medium risk) issues for the dependencies used.

Similarly, for another priority project with a code size of 1 GB of code, we were able to find 20 P1 (high risk) and 18 P2 (medium risk) issues for FOSS compliance. And, for finding security vulnerabilities, our audits revealed 59 P1 (high risk) and 49 P2 (medium risk) issues.

We then shared these issues with the client for remediation of these issues in each of the priority projects. Lyra also provided consultation to get the fixes and solutions for the issues raised in FOSS compliance and OSS Security Vulnerabilities.

Based on the client’s teams remediation plan we at Lyra then worked on delta audits to check and verify the fixes done by the client’s teams and then again share the list of reports as shared earlier. This process of remediating the fixes and delta scans went on for 2-3 months with many iterations. As many as 358 issues were brought to notice with continuous engagement with the client for the above two priority projects.

Conclusion

With constant engagement with the client, Lyra were able to provide a complete list of issues and fix them for FOSS compliance and security vulnerabilities with issues-list drilled down by teams, sub teams, individual repos and for top level management. Thanks to numerous data-oriented master and consolidated reports, everyone in the development teams had a clear view of all the issues and the issues which needed remediation to stay compliant with open source policies and from potential attacks and data breaches.

Interested in an Open Source Audit for your company too? Get in touch with us today!

Related Post
SMART Dashcam with Advanced ADAS Capability

Introduction: SMART Automotive Dash Cam  A dashcam or dashboard camera is a recording device typically attached to the interior windscreen Read more

SMART Warehousing

SMART WarehousingAI driven using NBIoT with LTE connected RFID Readers Introduction - RFID RFID is a widespread remote identification sensing Read more

How Lyra Helped An Embedded GPS & Map Tracking Company With M&A Audits.

Introduction Our client is an upcoming, on-demand transportation and ride-sharing mobile technology company based in Singapore. They mainly deal with Read more

OSS Compliance Report to Secure Series Funding

Introduction Our client is India's largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. They are Read more