News
Checkmarx Acquires Dustico
August 2021 by Marc Jacob
Checkmarx announced that it has acquired Dustico, a SaaS-based solution that detects malicious attacks and backdoors in open source software supply chains. Through this acquisition, Checkmarx will combine its AST capabilities with Dustico’s behavioural analysis technology to give customers a unified view into the risk, reputation, and behaviour of open source packages, resulting in a more comprehensive approach to preventing supply chain attacks.
According to Gartner, “by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021,”¹ making security of these networks paramount. Supply chain incidents often stem from malicious actors deliberately injecting hard-to-detect, tainted code into open source packages used in software development. While open source presents myriad benefits, developers must take reputation and credibility into consideration and apply a zero-trust security mindset to external code packages being adopted into modern applications.
Dustico’s technology is built to go beyond traditional source code vulnerability analysis and look at the behaviour and reputation of open source packages via a three-pronged approach. First, the solution factors in trust, providing visibility into the credibility of package providers and individual contributors in the open source community. Second, the health of packages is examined to determine their update cadence and level of maintenance. Finally, Dustico’s advanced behavioural analysis engine inspects packages and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans.
This insight, coupled with vulnerability results from Checkmarx’s AST solutions, gives organisations and developers a more holistic, unified, and effective approach for managing the risks associated with open source and the supply chains dependent on them.
Additional key features of Dustico include:
Advanced machine learning and threat intelligence. Powered by highly advanced machine learning models, Dustico automatically detects abnormal behaviours in code packages and checks IOCs against multiple threat intelligence feeds to provide accurate and advanced detection of attackers’ activity (TTPs).
Ahead-of-time analysis. Dustico’s technology is engineered to fetch packages for analysis as soon as they are published online, giving development teams a faster and more streamlined user experience.
Developer-first approach. With Dustico being natively integrated into the Checkmarx platform, developers will benefit from a frictionless user experience via direct integrations into their CI and build systems.
1 – Gartner, How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks, Manjunath Bhat, Dale Gardner, Mark Horvath, 15 July 2021
