Application security

Startup WhiteSource gets $75 million to find and fix buggy open source components

The massive 2017 Equifax hack was done in part by exploiting a critical (though patched) web server vulnerability in Apache Struts, a common and popular form of open source software to creating Java applications. (Equifax)

Cybersecurity startup WhiteSource announced it has raised $75 million in Series D funding, highlighting how tech and security investors are increasingly focusing on the open source software security market.

The latest investment of $75 million, drawn mostly from Pitango Growth and existing investors M12, Susquehanna Growth Equity, and 83North, is significantly more than the approximately $46 million the company raised combined through previous funding rounds. As part of the deal, Pitango Growth managing partner Isaac Hillel will join WhiteSource’s board of directors.

It’s a sign that software security – and open-source security in particular – is increasingly top of mind for investors as industry and governments respond to a series of damaging software-based hacks carried out by nation state actors over the past year.

Founded in 2011 with offices in the U.S., U.K. and Israel, WhiteSource sells an automated security, compliance and reporting solution that scans open source repositories and cross references that data with the open source components in a development team’s build environment in order to alert them about bugs, vulnerabilities, patches and other fixes. The idea was developed in part from the bumpy experience co-founders Rami Sass and Ron Rymon had producing an inventory report for their software at their first company Eurekify before selling it to CA Technologies.

Application security needs have gone beyond just detection to include continuous prioritization and prevention, as demonstrated by recent software supply chain attacks,” said Sass in a statement. “This investment brings us closer to creating a future where the cycle of application delivery is always a step ahead of any security risk, and where developers are easily equipped with code they can trust.”

Open source code – and the potential vulnerabilities they contain – composes a surprising proportion of the commercial software economy. While most cybersecurity experts agree there is nothing inherently less safe or secure about using open source code, it is not immune to the same mistakes and oversights that sometimes open up security holes in commercial software. The massive 2017 Equifax hack that led to the theft of consumer and credit data of 143 million Americans was done in part by exploiting a critical (though patched) web server vulnerability in Apache Struts, a common and popular form of open source software to creating Java applications.

And its usage continues to grow. According to Forrester, the average percentage of open source code in audited code bases doubled in the past half decade, from 36% in 2015 to 70% in 2019. Meanwhile, it's taking developers longer to remediate and fix known open source vulnerabilities, with about half of respondents saying it takes between a week and more than six months. Another 3% said they are never fixed.

Sandy Carielli, principal analyst at Forrester, said more recent concepts like a software bill of materials – which the Biden administration is reportedly mulling for defense contractors in a forthcoming executive order – could be particularly helpful in running down and cataloguing the use of vulnerable open source code.

“The analogy I use is that if I have a food allergy, it would be really nice if I can look at the ingredients list on a particular food item and known whether the thing that I want to eat is going to kill me or not,” she said.

This reliance on code from various open-source libraries and repositories has become so entrenched that some experts worry it’s creating a veil of ignorance preventing developers from understanding the security holes in their own software. In a world where malicious hackers are increasingly targeting the software application layer in their attacks, there is a growing need to find solutions and tools to secure the open-source components that underpin much of our commercial software and other software. Some security executives like Royal Hansen, vice president of security at Google, pointed to non-profits like the Open Source Security Foundation that have sprung up in the last few years as evidence of newfound urgency among industries to tackle the massive task.

“Think of all the open-source libraries which the world depends upon,” said Hansen in March during a cybersecurity event hosted by Neil Daswani and Moody Elbayadi, authors of the book Big Breaches: Cybersecurity Lessons for Everyone. “Getting the supply chain of those major open source software packages, such that the provenance, where people build them and where they include them in their own software…is a huge job unto itself.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.