Skip to main content

WhiteSource raises $75M to move beyond open source security and compliance management

WhiteSource Essentials dashboard
WhiteSource Essentials dashboard

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


WhiteSource, a platform that companies such as Microsoft, IBM, and Comcast use to secure their open source software components, has raised $75 million in a series D round of funding.

Founded in 2011, WhiteSource automatically identifies every open source component in a company’s technology stack, then identifies and prioritizes vulnerabilities, issuing real-time alerts on genuine risks it detects.

“In order to mitigate open source risks, it’s essential to remediate open source vulnerabilities as soon as they are discovered,” WhiteSource CEO and cofounder Rami Sass told VentureBeat. “However, in most cases it’s impractical to fix all vulnerabilities, and some require major development work. WhiteSource research shows that only 15% to 30% of vulnerabilities are effective — the majority of open source vulnerabilities are not called by the proprietary code.”

Open sourced

There is a strong case to support the widely uttered mantra that open source has eaten the world. All the major tech companies not only use open source software, but contribute back to the communities and even open-source their own internal tools.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Indeed, most modern software relies on at least some open source components, as it saves the companies that build it time and resources in having to develop and maintain everything themselves. A recent IBM-commissioned study called The Value of Open Source in the Cloud Era noted that most of the respondents (developers and managers) used open source software in some aspect of their operations, while in its recent State of Enterprise Open Source report, Red Hat found that 90% now use enterprise open source in their organizations — up from 89% last year.

“We certainly have noticed the trend as well,” Sass said. “Over the past three years, we have seen the numbers of our enterprise customers triple and seen our revenue grow by 800%, underscoring the enormous demand by organizations developing software to effectively manage their use of open source components. In our view, the current pace of enterprise software development, using modern application architecture like microservices and containers, is only sustainable through a high-level of reliance on open source.”

Although there are counter arguments that posit the exact opposite, open source software has often been plagued by the notion that it is less secure than its proprietary counterpart. Equifax, for example, blamed its mega 2017 security breach on the open source server framework Apache Struts.

In its recent State of Software Security: Open Source Edition report, app security company Veracode found that “open source libraries are ubiquitous and risky,” with 70% of applications containing a security flaw in an open source library, while WhiteSource rival Sonatype recently reported a 430% surge in cyberattacks aimed at “infiltrating open source software supply chains.” Elsewhere, a joint report produced by WhiteSource and the Ponemon Institute found that “more than 70% of enterprise application portfolios have become more vulnerable to attack” in the past year.

“There are a number of reasons for the increase of vulnerability in enterprise applications,” Sass explained. “A misalignment between risk-levels and the level of annual spending across different protection layers. The gap is most evident in the application layer, where the percentage of allocated budget is significantly lower compared with the perceived level of risk.”

Sass also cited a “lack of a formal approach” to securing the software development life cycle, as well as limited collaboration between development and security teams as other reasons why enterprise applications may have become more vulnerable. Moreover, matters have been compounded by faster software release cycles, with developers expected to ship more code and faster, leading companies to play a delicate balancing act between security and speed.

Integrated

Developers can integrate WhiteSource with many of the popular development environments, including IDEs, so they can see immediately whether any open source component has security vulnerabilities before they make a pull request (i.e., before the component enters a live code base). WhiteSource offers four core plans which offer incrementally more features: free; Essentials, at $2,400 per year; Teams, at $10,000 per year; and Enterprise, which starts at $28,000 per year.

The platform includes a dashboard that serves up an overview of an organization’s open source dependencies and license risks, among other data points.

Above: “WhiteSource Essentials” gives companies an overview of their open source dependencies.

Users can dig down into specific vulnerabilities to see where they exist and how they can go about remediating them (such as upgrading to a new version).

Above: WhiteSource: Vulnerabilities.

Although open source is generally free for developers to use, it often has some restrictions in terms of how third-parties are allowed to use it — as such, WhiteSource also helps companies adhere to any licensing policies that are in place.

Above: WhiteSource: Spotting compliance risks.

Beyond SCA

Other notable players in the space, a sector that is commonly referred to as software composition analysis (SCA), include Black Duck, which Synopsys bought for $547 million in 2017; the aforementioned Sonatype, which was acquired by Vista Equity Partners in 2019; and Snyk, which just last month closed a $300 million round of funding at a whopping $4.7 billion valuation.

So, what would a world look like without such automated tools? Well, the onus would likely fall on security teams to manually review and approve all the open source components in their tech stack, which is a lengthy, never-ending process of checking and testing. “Sometimes, information security teams may enforce open source security standards and block components from use, without consideration for the implication on development teams,” Sass said. “Other times, developers would use their own tools to detect and avoid open source vulnerabilities, and manage the findings using spreadsheets, with limited visibility to other teams or external auditors.”

Prior to now, WhiteSource had raised around $46 million, the chunk of which arrived through its series C round in 2018. With its latest $75 million cash injection — which attracted existing investors including Microsoft’s M12, 83North, and Susquehanna Growth Equity, in addition to Pitango Growth, which led the round — WhiteSource is gearing up to broaden its reach beyond the SCA sphere and into the wider application security testing (AST) space.

“This will go beyond detection to offer prioritization and auto-remediation of open source vulnerabilities to cover all threats and all application attack vectors,” Sass said. “Our vision is not limited to open source code, and we will announce more exciting developments in the near future.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.