Synopsis can help secure the Software Supply Chain
Background
In light of the recent security breaches in the public and private sectors, software security companies have been in focus. Multiple stocks such as Fortinet (FTNT), Qualisys (QLYS) and Crowdstrike (CRWD) have seen an uptick on higher volume over the last few days. The services offered by these companies will certainly help in securing infrastructure and detecting network breaches.
However, it's important to take a look at how the security incident unfolded this past week as the hackers took a unique vector to compromising the servers of so many organizations. They did not attack directly those organizations by penetrating a firewall or using social engineering techniques. Instead the hackers attacked what is known as the Software Supply Chain.
What is the Software Supply Chain? It is the numerous platforms, tools, reusable libraries and processes that software engineers and IT operations use to design, build and deploy software. These include popular open source tools and open source software that have become so popular in the past two decades.
Any company that creates or purchases software for their network goes through a painstaking process to ensure that the software is secure and does not compromise their network. But once vetted, updates to that software, when signed by the vendor with a special digital signature, are typically trusted and deployed without the same deep analysis.
So what happened this past week? Hackers did not target the end customer organizations. In fact, they did not even target the vendor of the software which was compromised. Instead they compromised the tools used to build the software before its digitally signed and delivered to customers. By inserting some undetected code into the build process, the hackers effectively created a trojan horse for their code to enter networks of numerous customers as trusted software.
Solution
There are numerous mitigations and solutions that security experts are looking at to solve this problem. New tools to detect malicious software. AI-based scanning software can detect anomalous traffic in the network. Additional steps before deploying new versions of software that was previously trusted.
The focus in this past weeks event will move to how developers can secure the Software Supply Chain end-to-end. That will include detecting upstream vulnerabilities in 3rd party libraries and tools that are used to create software.
Synopsis
This is where Synopsis has a set of capabilities that may have more demand in the near future. Synopsis offers a leading software integrity platform. It's just one area that they provide services and accounts for about ~10% of their revenues today. They have been carefully building out this area of the business over the past six years by acquiring up to ten different companies with key offerings in software integrity.
Recently, Gartner recognized Synopsis as the leader in End-to-End Application Security. They are the only leader in both the Static Application Security Testing (looking for vulnerabilities in first party code) and Software Composition Analysis (looking for vulnerabilities in 3rd party / open-source code). Synopsis also offers Dynamic Analysis of the final running software as well as professional services to help customers build secure software.
The other areas of Synopsis business is Electronic Design Automation (65% of revenues) and Semiconductor IP (25% of revenues). In these businesses, Synopsis is helping deliver the next generation of high-density chips as well as field programable gate arrays (FPGAs) that will drive smaller electronics, software-powered automobiles, and household automation.
With 150 million lines of code in the average vehicle today, securing the Software Supply Chain becomes even more critical and Synopsis seems to be in the perfect position to fulfill that mission.
Fundamentals
Technicals
Buy Point
In light of the recent security breaches in the public and private sectors, software security companies have been in focus. Multiple stocks such as Fortinet (FTNT), Qualisys (QLYS) and Crowdstrike (CRWD) have seen an uptick on higher volume over the last few days. The services offered by these companies will certainly help in securing infrastructure and detecting network breaches.
However, it's important to take a look at how the security incident unfolded this past week as the hackers took a unique vector to compromising the servers of so many organizations. They did not attack directly those organizations by penetrating a firewall or using social engineering techniques. Instead the hackers attacked what is known as the Software Supply Chain.
What is the Software Supply Chain? It is the numerous platforms, tools, reusable libraries and processes that software engineers and IT operations use to design, build and deploy software. These include popular open source tools and open source software that have become so popular in the past two decades.
Any company that creates or purchases software for their network goes through a painstaking process to ensure that the software is secure and does not compromise their network. But once vetted, updates to that software, when signed by the vendor with a special digital signature, are typically trusted and deployed without the same deep analysis.
So what happened this past week? Hackers did not target the end customer organizations. In fact, they did not even target the vendor of the software which was compromised. Instead they compromised the tools used to build the software before its digitally signed and delivered to customers. By inserting some undetected code into the build process, the hackers effectively created a trojan horse for their code to enter networks of numerous customers as trusted software.
Solution
There are numerous mitigations and solutions that security experts are looking at to solve this problem. New tools to detect malicious software. AI-based scanning software can detect anomalous traffic in the network. Additional steps before deploying new versions of software that was previously trusted.
The focus in this past weeks event will move to how developers can secure the Software Supply Chain end-to-end. That will include detecting upstream vulnerabilities in 3rd party libraries and tools that are used to create software.
Synopsis
This is where Synopsis has a set of capabilities that may have more demand in the near future. Synopsis offers a leading software integrity platform. It's just one area that they provide services and accounts for about ~10% of their revenues today. They have been carefully building out this area of the business over the past six years by acquiring up to ten different companies with key offerings in software integrity.
Recently, Gartner recognized Synopsis as the leader in End-to-End Application Security. They are the only leader in both the Static Application Security Testing (looking for vulnerabilities in first party code) and Software Composition Analysis (looking for vulnerabilities in 3rd party / open-source code). Synopsis also offers Dynamic Analysis of the final running software as well as professional services to help customers build secure software.
The other areas of Synopsis business is Electronic Design Automation (65% of revenues) and Semiconductor IP (25% of revenues). In these businesses, Synopsis is helping deliver the next generation of high-density chips as well as field programable gate arrays (FPGAs) that will drive smaller electronics, software-powered automobiles, and household automation.
With 150 million lines of code in the average vehicle today, securing the Software Supply Chain becomes even more critical and Synopsis seems to be in the perfect position to fulfill that mission.
Fundamentals
- Market cap of $39 billion
- 153 million shares outstanding (150m shares in float)
- YoY Sales Growth of 3%, 13%, 20% last three quarters
- YoY EPS Growth of 5%, 47%, 27% last three quarters
- Fund ownership of 59%
- Announced on 12/16 an accelerated stock buy-back program
Technicals
- 115% gain from March lows
- Currently in seven-day run (higher highs, higher lows)
- Broke above buy point of 246.49 on 12/15, still within 5%
- Support at ~245, ~234 and ~223
Buy Point
- Buy Point: 255.82
- 10d ATR Stop (x2.7): 240.06 (6.16.%)
- Position Size: R16.22
Komentarz:
SNPS broke out from a base yesterday. ARKK added a position.