Updated 21:00 BST January 6 with further comment from Veracode clarifying the precise nature of what has been acquired.
Cybersecurity firm Veracode has bought malicious package detection and mitigation technology from Phylum - a US startup founded by a team of former intelligence service specialists that raised $15 million in a Series A in 2022.
The OSS security toolset will be integrated into Veracode’s software composition analysis (SCA) product and be GA this year. The deal “bolsters Veracode’s renowned security research team with Phylum’s experts” it said.
The terms of the deal were not disclosed.
"Veracode is acquiring certain technology assets of Phylum, not the entirety of the company. These technology assets are malicious package analysis, detection, and mitigation capabilities, a package management firewall, and an unmatched malicious package database. A team of 14 R&D professionals will also join Veracode from Phylum"it confirmed in response to questions from The Stack.
The deal is private equity-backed Veracode’s second acquisition in nine months, following its buyout of Longbow Security, a specialist in security risk management for cloud-native environments. Earlier acquisitions include the December 2022 buyout of Germany-based Crashtest Security to boost its dynamic analysis and pen testing capabilities for web apps and APIs, as well as the April 2022 acquisition of “auto-remediation technology” from Jaroona, a 2021 Gartner Cool Vendor for DevSecOps; the technology acquired in that deal enabled the launch of its Veracode Fix remediation-proposing platform.
See also – Citigroup CFO Mark Mason: Cybersecurity costs are surging
Veracode CPO Ravi Iyer said in a canned statement that the Phylum deal “advances Veracode’s mission to be the most comprehensive application risk management platform by significantly expanding our ability to identify, mitigate, and remediate risks across the software supply chain…”
Phylum at the time of its Series A described the market backdrop and its USP as follows: “Open-source software has enabled developers to accelerate release schedules. DevOps processes assist developers through standards enforcement, testing and build automation. This… enables automated use of untrusted software via dependencies from unknown authors on the Internet, increasing the security teams' burden to manage risk at the same pace.
“Recent attacks [however] have shown that we can no longer solely rely on software composition analysis products that are focused on software vulnerabilities… to defend the complete attack surface of the open-source software supply chain. Phylum automates the entire process of identifying packages, analyzing the supply chain risk, and categorizing these risks int five domains: Malicious Code, Vulnerability, License, Author, and Engineering risk.”
