“We’re thrilled to welcome Dustico and its crew to Checkmarx because the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and expertise,” mentioned Emmanuel Benzaquen, CEO, Checkmarx.
“Mixing Dustico’s differentiated strategy to open supply evaluation with Checkmarx’s best-of-breed safety testing capabilities will convey disruptive worth to our prospects as they handle the challenges with securing software program provide chains.”
Final month, the European Union Company for Cybersecurity (ENISA) published a report predicting a four-fold enhance in software program provide chain assaults in 2021 in comparison with 2020.
The research analysed 24 of such incidents between January 2020 and July 2021. 50 p.c of the provision chain assaults studied have been attributed to identified teams, whereas 42 p.c weren’t attributed to a selected supply. The attackers have been primarily motivated to realize entry to supply code and buyer information.
One of the vital devastating and high-profile assaults was the SolarWinds incident the place attackers exploited vulnerabilities within the IT software program Orion, utilized by varied authorities entities, Microsoft, cybersecurity agency FireEye, and plenty of others. The assault has since been linked to Russian state-sponsored hacker group APT29 (AKA ‘Cozy Bear’).
The authors of the ENISA report wrote:
“The variety of provide chain assaults has been steadily rising during the last yr.
This pattern additional stresses the necessity for policymakers and the safety neighborhood to plan and introduce novel protecting measures to deal with potential provide chain assaults sooner or later and to mitigate their impression.”
Dustico is a SaaS-based answer that detects malicious assaults and backdoors in open-source software program provide chains.
Analysis from Veracode final yr discovered that open-source libraries cause security flaws in 70 p.c of apps. Snyk, in the meantime, has noticed a 2.5x progress in open-source vulnerabilities over the previous three years.
Checkmarx’s newest acquisition will allow the corporate to mix its present AST capabilities with Dustico’s behavioural evaluation know-how.
Maty Siman, CTO of Checkmarx, defined:
“As we speak’s adversaries have zoned-in on software program provide chains – lots of which rely closely on open supply. As the specter of tampering in third-party packages will increase, growth groups should function with the proactive assumption that each one code might have been maliciously manipulated.
With Dustico, we’re constructing on our mission to safe open supply by enabling prospects to carry out vulnerability, behavioural, and reputational evaluation from a single answer.
This can give builders and safety leaders the insights and confidence wanted to decide on safer code packages, and in flip, construct safer functions at velocity.”
Dustico makes use of a “three-pronged” strategy to find out the security of open-source packages.
The corporate’s know-how elements within the belief of package deal suppliers and contributors, the continued assist of the package deal by replace cadence, and likewise applies its behavioural evaluation engine to search for something malicious hiding in packages resembling backdoors.
Tzachi Zornstain, Co-Founder and CEO of Dustico, commented: “We based Dustico to assist organisations address the explosion in provide chain and dependency assaults and fortify their belief in open supply software program, and we’re thrilled to hitch Checkmarx to additional execute on this imaginative and prescient and convey our capabilities to a world set of shoppers.”