Snyk has acquired FossID for an undisclosed amount. The deal gives Snyk access to FossID’s tools for scanning C/C++ code for open source licences and vulnerabilities. Snyk claims there are over 6 million C/C++ developers out there, and it wants their business. Acquiring FossID will help it do just that. The acquisition broadens Snyk’s existing tools around open source and will help address a developer group it currently does not serve well.
Snyk has built its business on addressing open source issues. It has targeted developers who often have no accurate manifest of what open source they are using. Even those that do, don’t always monitor for the licence conditions of that open source. Are they required to push all changes back to the community? Can they fork their own version for use? What acknowledgements do they need to make?
It is not just compliance that is an issue. The failure to track open source usage means that security teams cannot track known vulnerabilities in source code. It means that patches and updates are not being applied. This can leave organisations open to attack from cybercriminals exploiting otherwise fixable issues.
Peter McKay, CEO, Snyk, said: “With FossID’s powerful capabilities to find, fix and monitor vulnerabilities in all forms of open source software, Snyk is now accelerating our vision to bring security to every developer in the world.
“Together with this world-class team, we look forward to reaching millions more of the world’s developers, empowering them to build applications securely while also staying a step ahead of their competition.”
What is Snyk planning to do with FossID?
The plan is to integrate FossID’s capabilities into Snyk’s existing Software Composition Analysis (SCA) product, Snyk Open Source. According to the press release, this will provide four key benefits to Snyk customers who are using C/C++ to build their applications today:
- Unmanaged code, inclusive of snippet detection: FossID’s solution identifies vulnerabilities in all forms of open source, including the detection of snippets (a few lines of code copied from the open source software package). This has been historically difficult and is a critical problem to solve for developers looking to increasingly own security responsibilities within their organizations.
- 2 PBs of machine harvested source code: FossID’s comprehensive knowledge base contains the equivalent of more than two petabytes (PBs) of machine harvested source code from all of the world’s currently known open source repositories.
- AI-powered analysis: FossID’s AI technology automatically eliminates false-positives, allowing development teams to save time and money and ultimately ship their applications faster and safer than their competition.
- Developer-friendly license compliance: FossID’s license compliance engine is able to automatically inspect applications with speed and accuracy to detect license and copyright information, thanks to its AI-powered patent-pending software solution that relies on an audit-grade database of over 1900 licenses.
Enterprise Times: What does this mean?
Snyk is wasting no time spending the US $300M Series E funding it received in March. This is a smart acquisition on several levels. It provides more support for C/C++ developers, a group that Snyk doesn’t really serve well.
It also gives Snyk another route into the enterprise. There is a lot of C/C++ code inside enterprise IT environments. The amount of new code written in C/C++ is lower than in many other languages. However, enterprises are doing a lot of maintenance coding. It is likely that many apps enterprises have used open source code and utilities at some point. Giving developers the tools to identify and remediate that code is essential.
The timing is also ideal. There is significant concern over the software supply chain at the moment. One of those concerns is visibility into the code base that organisations have. Snyk has improved its attractiveness to security teams with this acquisition of FossID.
The question now is, what else does Snyk believe it needs to add to complete its offering?