Open source software – a $ 14 billion market – has become the lifeblood of building applications and other IT services, with around 97% of developers today using open source components of some form or form. another in their work. This popularity, however, belies a critical challenge: Some of the most ubiquitous open source packages are riddled with vulnerabilities, so their use increases the risk of a security breach.
Rather than wait (unrealistically) for organizations to stop using open source components, a new wave of startups is emerging to help them tackle this problem head-on, following open source components in their code. , identifying vulnerabilities and providing routes to fix them. And today, one of the space pioneers, Israel-based WhiteSource, announces that it has raised $ 35 million to expand the reach of its work – by hiring more engineers, doubling its plate. -forming and coming to more geographies – it is currently has offices in New York, Boston and Tel Aviv – to expand beyond the 500 large companies that use its tools today (including 23% of companies Fortune 100).
Led by new investor Susquehanna Growth Equity, other participants in this round include 83North and M12 (formerly Microsoft Ventures), both former funders.
WhiteSource doesn’t disclose its valuation, but a source close to the company tells me it’s around $ 200 million. The company has raised $ 46 million to date.
WhiteSource has been around since 2011, founded by Rami Sass (CEO), Azi Cohen, Ron Rymon and Roni Einav – four alumni of a previous startup, an identity management company called Eurekify, which was acquired by CA a long time ago. decade. Sass said in an interview that while WhiteSource had quietly started off and raised only about $ 11 million previously, there had been a “big shift” in the market in the last year or so. .
“There is now an awareness of the potential risk of security vulnerabilities in the open source code being used and that you want to use more of it,” he said. “So we decided to take a big leap and focus on becoming a more substantial business. This means many plans to increase innovation and invest in the next phase of technology in this space. “
(Indeed, this funding follows another startup in the same space, Synk, which raised $ 22 million less than a month ago – a collective sign of not just the widespread use of open source. , but accepting that there are a lot of vulnerabilities in the packages that need to be identified and fixed.)
WhiteSource was one of the first companies to coined the term “software composition analysis” – “it didn’t even exist until we started the business,” Sass said – and although Sass did Didn’t specify what the next phase of technology at WhiteSource might entail, there are some criticisms of SCA’s “waterfall” model. WhiteSource’s future work may well involve more developer-centric versions of its detection software, in addition to the ones it already offers.
While Black Duck (acquired by Synopsys last December), Snyk, and others all offer a way to detect vulnerabilities in open source code, WhiteSource believes its solution is the most comprehensive on the market by comparison. “Surveillance is a limited description,” Sass said of what WhiteSource does. “We are able to manage security risk mitigation, review every step, block components according to company policy. “
These include tools to prevent vulnerabilities from infiltrating the code in the first place, as well as actions an organization can take retroactively once a vulnerability has been identified; as well as multi-source scanning for the most recent open source information (drawing on what is considered the primary resource, the National Vulnerability Database). On a positive note, nearly 98% of all vulnerabilities in open source packages have fixes designed for them: the challenge is to identify the flaws and deploy the right code to the rescue.
The problem of open source vulnerabilities is persistent. WhiteSource research found that the number of disclosed vulnerabilities in open source software in 2017 increased by more than 60% from 2016, with 2018 shaping up to be even bigger.
Moreover, the vulnerabilities seem to exist in the sense of the variation of the popularity of the package or the computer language used.
“The more popular an open-source project, the larger its community and the more eye-catching it attracts from security researchers,” the company noted in a recent report. “With more contributors reviewing it, more safety and quality issues are discovered and made public each month. WhiteSource estimates that 7.5% of all open source projects are vulnerable because of this, but of the 100 most popular projects, 32% are vulnerable.
“WhiteSource has set the standard for open source security solutions through its strong leadership and groundbreaking innovations,” said Martin Angert, director of Susquehanna Growth Equity, in a statement. “We are thrilled to join WhiteSource on its journey to help companies develop better software, faster. “