Checkmarx Acquisition of Dustico Strengthens Open Source Software Supply Chain



The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!

Leave him OSS Company Newsletter guide your open source journey! register here.

Application security testing company (AST) Checkmarx has acquired Dustico, a platform for detecting backdoors and other malicious activity in the open source software supply chain. Terms of the contract are not disclosed.

Combined with Checkmarx’s open source software composition analysis tool, CxSCA, it will provide customers with a “unified view of the risk, reputation and behavior of open source packages” to help prevent chain attacks. ‘supply, the company said.

The software supply chain has become a major area of ​​focus for security-conscious enterprises, in large part due to the growing scourge of attacks that target enterprises by exploiting vulnerabilities in “trusted” third-party software. The European Union (EU) cybersecurity agency ENISA recently released a report titled Threat Landscape for Supply Chain Attacks, which predicts a fourfold increase in supply chain attacks in 2021 compared to 2020, with notable events such as the SolarWinds breach affecting businesses and government agencies around the globe.

The increase in these attacks can be attributed to some extent to the increasing use of open source components in software development, a process that often relies on automated dependency managers who can download and install dozens or more. hundreds of open source packages as part of the software lifecycle process. some of which may contain critical vulnerabilities or malicious code deliberately inserted by bad actors.

A quick overview of the cybersecurity landscape reveals a concerted push to address security in the software supply chain. As recently as last week, ReversingLabs secured $ 56 million in venture capital to fight software supply chain attacks. Elsewhere, GitLab recently opened Package Hunter to detect malicious code in dependencies, while Google introduced Supply Chain Levels for Software Artifacts (SLSAs), touted as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software offering. chain.”


Founded in Israel in 2006, Checkmarx offers a range of software security products, such as integrated source code analysis tools (open source and proprietary), and has built up a list of renowned clients including Sony, SAP, Deloitte , Visa, and Coca-Cola. As a result, private equity giant Hellman & Friedman acquired Checkmarx in a $ 1.15 billion deal last year.

Dustico, which was founded less than a year ago, has built a machine learning-based platform that performs behavioral analysis and software package detection to avoid potential attackers in the software supply chain. open source. Taking a multi-pronged approach, Dustico checks the credibility of the software package vendor and contributors to the project while also verifying the health of the software package itself based on metrics such as update frequency and the quality of its maintenance. Dustico also checks for questionable backdoors and other forms of malicious activity. The company may focus less on detecting vulnerabilities inadvertently introduced by human error than it is on code that looks like the part but has bad intentions.

“When code has been written to deliberately hide its intent, it’s important to assess what the code does when you run it and who created it in the first place,” wrote Checkmarx’s software composition analysis and open source evangelist Robert Haynes in a blog post. “Evaluating what software does, the processes it creates, the ports it opens, and the connections it tries to make are all critical indicators of package intent. “


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member



Leave A Reply