Developer-centric app security testing (AST) firm Checkmarx has acquired Dustico to help counter the increasing threat of supply chain attacks.
“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO, Checkmarx.
“Blending Dustico’s differentiated approach to open source analysis with Checkmarx’s best-of-breed security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”
Last month, the European Union Agency for Cybersecurity (ENISA) published a report predicting a four-fold increase in software supply chain attacks in 2021 compared to 2020.
The study analysed 24 of such incidents between January 2020 and July 2021. 50 percent of the supply chain attacks studied were attributed to known groups, while 42 percent were not attributed to a particular source. The attackers were mainly motivated to gain access to source code and customer data.
One of the most devastating and high-profile attacks was the SolarWinds incident where attackers exploited vulnerabilities in the IT software Orion, used by various government entities, Microsoft, cybersecurity firm FireEye, and many others. The attack has since been linked to Russian state-sponsored hacker group APT29 (AKA ‘Cozy Bear’).
The authors of the ENISA report wrote:
“The number of supply chain attacks has been steadily increasing over the last year.
This trend further stresses the need for policymakers and the security community to devise and introduce novel protective measures to address potential supply chain attacks in the future and to mitigate their impact.”
Dustico is a SaaS-based solution that detects malicious attacks and backdoors in open-source software supply chains.
Research from Veracode last year found that open-source libraries cause security flaws in 70 percent of apps. Snyk, meanwhile, has observed a 2.5x growth in open-source vulnerabilities over the past three years.
Checkmarx’s latest acquisition will enable the company to combine its existing AST capabilities with Dustico’s behavioural analysis technology.
Maty Siman, CTO of Checkmarx, explained:
“Today’s adversaries have zoned-in on software supply chains – many of which rely heavily on open source. As the threat of tampering in third-party packages increases, development teams must operate with the proactive assumption that all code may have been maliciously manipulated.
With Dustico, we’re building on our mission to secure open source by enabling customers to perform vulnerability, behavioural, and reputational analysis from a single solution.
This will give developers and security leaders the insights and confidence needed to choose safer code packages, and in turn, build more secure applications at speed.”
Dustico uses a “three-pronged” approach to determine the safety of open-source packages.
The company’s technology factors in the trust of package providers and contributors, the ongoing support of the package through update cadence, and also applies its behavioural analysis engine to look for anything malicious hiding in packages such as backdoors.
Tzachi Zornstain, Co-Founder and CEO of Dustico, commented: “We founded Dustico to help organisations cope with the explosion in supply chain and dependency attacks and fortify their trust in open source software, and we’re thrilled to join Checkmarx to further execute on this vision and bring our capabilities to a global set of customers.”
(Photo by Michael Geiger on Unsplash)
