We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
WhiteSource today is expanding beyond securing the use of open source code in application development, with the launch of a new solution to secure custom-developed, proprietary code. The introduction of detection and remediation for vulnerabilities in custom code will ultimately turn the vendor’s platform into “a one-stop shop that services all application security needs,” says cofounder and CEO Rami Sass.
A longtime provider of software composition analysis (SCA), which secures open source code, WhiteSource will now be able to serve customers who are looking for custom code security via static application security testing (SAST), as well. The company’s SAST solution is generally available as of today, and is based on the recent acquisitions of two European startups, along with the company’s own internal development work.
WhiteSource acquired SAST detection startup Xanitizer in mid-December, and SAST scanning startup DefenseCode in mid-January. The acquisitions were not disclosed previously.
While SCA and SAST cover different sides of the spectrum in software development, the two solutions are “both looking at the same applications, being developed by the same engineers, inside the same organizations,” Sass said in an interview with VentureBeat. “And so it does make sense to have both these technologies coexist in a unified platform — because the same people end up having to fix those vulnerabilities.”
With today’s initial launch of the WhiteSource SAST solution, the SCA and SAST offerings will not be integrated with each other — but the plan is to integrate the two sides early in the second half of the year, according to Sass.
The move is a response to customer demand for a consolidated platform in application code security. “They want to get all these vulnerabilities from the same source, and they want to have the same workflows to fix them,” Sass said.
The expansion also represents a “huge growth opportunity” for the company, he said, given that the SAST market is approximately five to six times the size of the SCA market. “It really gives us a lot of room to keep growing at an accelerated pace, like we’ve had for the last four or five years,” Sass said.
The code vulnerability detection in WhiteSource’s SAST solution will be “industry-leading” in terms of offering few false positives, and is capable of scanning for flaws at between 10 and 100 times faster than legacy solutions, according to Sass. But the real differentiator is in the remediation capabilities, he said.
“In the SAST world, all the solutions always try to convince you that their detection is better. But hardly anyone is even trying to fix the vulnerabilities for you,” Sass said.
Even when other solutions do attempt to help with remediation, the approach typically involves either pointing out the place in the code where fixers should be made, or providing developers with education on how they should go about fixing these kinds of vulnerabilities — but not the specific vulnerability in question, he said.
With the WhiteSource SAST solution, however, “we are taking an approach of actually solving the problem for you — which is very unique,” Sass said.
While the vulnerability detection technology in the solution is based on the two recent acquisitions, the remediation capabilities have been under development internally at WhiteSource over the past year, he said. “We’ve had a dedicated team of domain expert Ph.D.s working on it. We’ve submitted a number of patents. It’s a very complex problem,” Sass said. “But we are very excited about our ability to actually solve the security issue for you, and not just be able to report on it.”
This follows on WhiteSource’s similar capabilities in SCA, which provides automated remediation for open source code, and debuted three years ago.
“We were the first to introduce the notion of automatically remediating the vulnerabilities in your [open source] dependencies. And by now we’ve been doing it in production for tens of thousands of real customer projects,” Sass said. “In that time, we’ve also had some other vendors in the space copy our solutions.”
What the company has found since launching the capability is that automated remediation is “a huge generator of value,” he said.
“The real value that anyone can derive from any kind of application security solution is if they’re able to eliminate vulnerabilities from their applications. Just knowing about vulnerabilities doesn’t do anything to stop an attack or a hack,” Sass said. “So now, that’s something we’re going to transfer into the world of static analysis for proprietary code.”
Ultimately, across both open source and custom code, “we are the only ones that can completely automate the act of fixing the vulnerabilities — and not just finding them,” he said.
The expansion of WhiteSource’s offerings comes after the company has already been seeing strong growth, according to Sass. Revenue is up 800% over the past three years, and in the fourth quarter of the year, the company closed a major customer deal — worth $9 million — with a large software vendor. The name of the customer was not disclosed.
WhiteSource crossed the 1,000-customer mark last year and now reports having more than 1,100 customers. Customers include Microsoft, IBM, Comcast, The Home Depot, Mastercard, Bosch, Schlumberger, Roche, Berkshire Hathaway, PWC, and KPMG.
With offices in Israel, the United Kingdom, and Boston, Massachusetts, WhiteSource has more than 300 employees. The company has raised $121.2 million since its founding in 2011, most recently closing a $75 million series D round in April 2021.
WhiteSource did not disclose the terms of its two recent acquisitions. Croatia-based DefenseCode brought seven employees, while Germany-based Xanitizer brought four.
‘Turning point’ in code security
While interest in code security solutions has been growing steadily since 2014, when the Heartbleed and Shellshock vulnerabilities were disclosed, 2021 was clearly a “turning point,” Sass said. The discovery of the critical vulnerability in the widely used Apache Log4j logging library capped off a year that had already seen major growth in awareness around code security risks, he said.
“The main turning point in 2021 was the emergence of a new kind of application vulnerability — the supply chain attack — which is very different [from] what we’ve seen historically,” Sass said.
In the past, “all these vulnerabilities were accidental,” he said. “Some well-meaning developer in an open source project had a bug — but they did not mean for there to be a vulnerability.”
But then, at the tail end of 2020, the SolarWinds software supply chain breach was discovered. And that was followed a few months later by other attacks carried out by inserting malicious code into applications during the development process, including the Kaseya and Codecov attacks.
Until this point, vulnerabilities in code “were there by mistake,” Sass said. “With supply chain attacks, someone intentionally is trying to implant these vulnerabilities, and then are doing everything they can to cover up their tracks. So, that’s not something we’ve not seen before, and that drove a lot more awareness to this issue.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.