Open source software — a $14 billion market — has become a cornerstone for building apps and other IT services, with some 97 percent of developers today using using open source components of one form or another in their work. That popularity, however, belies a critical challenge: some of the most ubiquitous open source packages around are rife with vulnerabilities, so using them increases the risk of a security breach.
Rather than (unrealistically) expecting organizations to stop using open source components, there is a new wave of startups that are emerging to help them tackle this problem head on, by tracking open source components in their code, identifying when there are vulnerabilities, and providing routes to fix them. And today, one of the pioneers in the space, Israel-based WhiteSource, is announcing that it has raised $35 million to expand the scope of its work — by hiring more engineers, doubling down on its platform and coming to more geographies — it currently has offices in New York, Boston and Tel Aviv — to expand beyond the 500 large enterprises that use its tools today (including 23 percent of Fortune 100 companies).
Led by new investor Susquehanna Growth Equity, others in this round include 83North and M12 (formerly known as Microsoft Ventures), both previous backers.
WhiteSource is not disclosing its valuation, but a source close to the company tells me it’s in the region of $200 million. The company has raised $46 million to date.
WhiteSource has been around since 2011, founded by Rami Sass (CEO), Azi Cohen, Ron Rymon and Roni Einav — four alums from a previous startup, an identity management firm called Eurekify, which was acquired by CA about a decade ago. Sass said in an interview that even though WhiteSource had quietly bootstrapped itself initially and had only raised around $11 million before now, there had been a “big shift” in the marketplace in the last year or so.
“There is now an awareness to the potential risk of security vulnerabilities in open source code that’s being used, and that you want to use more,” he said. “So we decided to make a big jump, and focus on becoming a more substantial firm. That means a lot of plans to increase innovation and invest in the next phase of technology in this space.”
(Indeed, this funding comes on the heels of another startup in the same space, Synk, raising $22 million less than a month ago — a collective sign not just of the widespread use of open source, but the acceptance that there are a lot of vulnerabilities in the packages that need identifying and addressing.)
WhiteSource was one of the early companies to coin the term “software composition analysis” — “It wasn’t even in existence until we started the company,” Sass said — and while Sass didn’t specify what the next phase of tech at WhiteSource might entail, there are some critics of the “waterfall” model of SCA. Future work at WhiteSource might well entail more developer-centric versions of its detection software, on top of those it already offers.
While Black Duck (acquired by Synopsys last December), Snyk and others all offer a way to detect vulnerabilities in open source code, WhiteSource’s belief is that its solution is the most comprehensive on the market by comparison. “Monitoring is a limited description,” Sass said of what WhiteSource does. “We are able to govern security risk mitigation, able to look at every step, able to block out components based on corporate policy.”
These include tools to prevent vulnerabilities from creeping into code in the first place, as well as actions that an organization can take retroactively once a vulnerability has been identified; as well as scanning multiple sources for the newest information on open source code (building on what is considered the main resource, the National Vulnerability Database). On a positive note, nearly 98 percent of all vulnerabilities in open source packages have fixes built for them: the challenge is in identifying the holes and deploying the right code to the rescue.
The issue of open source vulnerabilities is a persistent one. Research from WhiteSource found that the number of disclosed open source software vulnerabilities in 2017 rose by over 60 percent over 2016, with 2018 shaping up to be even bigger.
Moreover, the vulnerabilities seem to exist in direction variation to the popularity of the package or computing language being used.
“The more popular an open source project is, the larger its community and the more ‘eyeballs’ it garners from security researchers,” the company noted in a recent report. “With more contributors looking at it, more security and quality issues are discovered and made public every month.” WhiteSource estimates that 7.5 percent of all open source projects are vulnerable because of this, but of the 100 most popular projects, 32% are vulnerable.
“WhiteSource has established the standard for open source security solutions with its strong leadership and breakthrough innovation,” said Martin Angert, Director at Susquehanna Growth Equity, in a statement. “We are excited for join WhiteSource on their journey to help businesses develop better software, faster.”