VentureBeat presents: AI Unleashed - An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Application security testing (AST) company Checkmarx has acquired Dustico, a platform for detecting backdoors and other malicious activity in the open source software supply chain. Terms of the deal were not disclosed.

Combined with Checkmarx’s open source software composition analysis tool CxSCA, it will offer customers a “unified view into the risk, reputation, and behavior of open source packages” to help prevent supply chain attacks, the company said.

The software supply chain has emerged as a major area of focus for security-conscious companies, due in large part to the growing scourge of attacks that target businesses by exploiting vulnerabilities in “trusted” third-party software. The European Union’s (EU) cybersecurity agency ENISA recently published a report called Threat Landscape for Supply Chain Attacks, which predicted a fourfold increase in supply chain attacks in 2021 versus 2020, with notable events such as the SolarWinds breach impacting companies and government agencies around the globe.


AI Unleashed

An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.


Learn More

The rise in such attacks can be attributed somewhat to the growing use of open source components in software development, a process that often leans on automated dependency managers that may download and install dozens or hundreds of open source packages as part of the software lifecycle process — some of which may contain critical vulnerabilities or malicious code deliberately inserted by bad actors.

A quick peek across the cybersecurity landscape reveals a concerted push to address security in the software supply chain. Just last week, ReversingLabs secured $56 million in venture capital funding to combat software supply chain attacks. Elsewhere, GitLab recently open-sourced Package Hunter to detect malicious code in dependencies, while Google introduced Supply Chain Levels for Software Artifacts (SLSA), touted as an end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain.”


Founded out of Israel in 2006, Checkmarx offers a range of software security products, such as integrated source code (open source and proprietary) scanning tools, and has amassed a roster of big-name customers, including Sony, SAP, Deloitte, Visa, and Coca-Cola. Accordingly, private equity giant Hellman & Friedman acquired Checkmarx in a $1.15 billion deal last year.

Dustico, which was founded less than a year ago, has built a machine learning-powered platform that conducts software package behavioral analysis and detection to avert would-be attackers in the open source software supply chain. Adopting a multi-pronged approach, Dustico checks the credibility of the software package provider and project contributors while verifying the health of the package itself based on metrics such as update frequency and how well it’s maintained. Dustico also checks for dubious backdoors and any other form of malicious activity. The company is perhaps less focused on spotting vulnerabilities inadvertently introduced by human error than it is eking out code that looks the part but has ill intentions.

“When code has been written to deliberately hide its intent, it’s important to evaluate what the code does when you run it and who created it in the first place,” Checkmarx software composition analysis and open source evangelist Robert Haynes wrote in a blog post. “Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.