All the sessions from Transform 2021 are available on-demand now. Watch now.
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
Application security testing (AST) company Checkmarx has acquired Dustico, a platform for detecting backdoors and other malicious activity in the open source software supply chain. Terms of the deal were not disclosed.
Combined with Checkmarx’s open source software composition analysis tool CxSCA, the company said that its customers will be able to glean a “unified view into the risk, reputation, and behavior of open source packages” to help prevent supply chain attacks.
The software supply chain has emerged as a major area of focus for security-conscious companies, due in large part to the growing scourge of attacks which target businesses by exploiting vulnerabilities in “trusted” third-party software. The European Union’s (EU) cybersecurity agency ENISA recently published a report called Threat Landscape for Supply Chain Attacks, which predicted a four-fold increase in supply chain attacks in 2021 versus 2020, with notable events such as the SolarWinds breach impacting countless companies and government agencies around the globe.
The rise in such attacks can be attributed somewhat to the growing use of open source components in software development, a process that often leans on automated dependency managers that may download and install dozens or hundreds of open source packages as part of the software lifecycle process — some of which may contain critical vulnerabilities, or malicious code deliberately inserted by bad actors.
A quick peek across the cybersecurity landscape reveals a concerted push to address security in the software supply chain — just this week, ReversingLabs secured $56 million in venture capital funding to combat software supply chain attacks. Elsewhere, GitLab recently open-sourced Package Hunter to detect malicious code in dependencies, while Google introduced Supply Chain Levels for Software Artifacts (SLSA), touted as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain.”
Founded out of Israel in 2006, Checkmarx offers a range of software security products such as integrated source code (open source and proprietary) scanning tools, and has amassed a roster of big-name customers including Sony, SAP, Deloitte, Visa, and Coca-Cola. Accordingly, private equity giant Hellman & Friedman acquired Checkmarx in a $1.15 billion deal last year.
Dustico, which was founded less than a year ago, has built a machine learning-powered platform that conducts software package behavioral analysis and detection to avert would-be attackers in the open source software supply chain. Adopting a multi-pronged approach, Dustico checks the credibility of the software package provider and the project contributors, while also verifying the health of the package itself based on metrics such as update frequency and how well it’s maintained. On top of that, Dustico checks for dubious backdoors and any other form of malicious activity. Dustico is perhaps less about spotting vulnerabilities inadvertently introduced by human error, than it is eking out code that looks the part but has ill intentions.
“When code has been written to deliberately hide its intent, it’s important to evaluate what the code does when you run it, and who created it in the first place,” Checkmarx software composition analysis and open source evangelist Robert Haynes wrote in a blog post. “Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more