The rise of new open source threats is increasing risk to organizations as attackers increasingly exploit vulnerabilities in widely used libraries, frameworks, and tools. In fact, most software composition analysis (SCA) tools on the market today are unable to keep up with the amount of new and clearly malicious activity in the open source ecosystem.
To address this critical threat, we are pleased to announce that Veracode has acquired Phylum Inc.’s technology, increasing our capabilities in securing the software supply chain. The addition of Phylum increases the market’s ability to combat threats through advanced detection and mitigation of malicious packages within open source libraries.
Software teams’ dependencies on open source libraries and threats targeting these libraries make detecting and blocking malicious packages more important than ever. Malicious packages often contain code designed to extract sensitive information such as credentials, API keys, and personal data. Detecting these packages is a critical component of application risk management and helps prevent and mitigate security breaches.
How Phylum addresses the risk of malicious packages
The core of Phylum’s technology revolves around an advanced package management firewall and a comprehensive database dedicated to malicious packages. These tools are critical for detecting and blocking open source security threats in real-time early in the development pipeline. By integrating these technologies, Veracode strengthens its ability to provide proactive defense mechanisms against network infection, data theft, and remote code execution risks.
Enhancements to Software Composition Analysis (SCA)
Integrating Phylum’s automation tools into software composition analysis (SCA) solutions provides customers with a comprehensive view of the risks associated with the use of open source libraries. This integrated solution is managed by Veracode’s integrated and customizable policy engine, providing effective controls for managing open source risks. This technology shortens the window of opportunity for attackers to gain entry by automating the entire process of malicious code analysis. Threats are identified and mitigated faster than ever before, providing an important layer of security to keep your applications safe.
Introducing Phylum’s research and expertise
The integration of Phylum’s research and team is an exciting addition to our industry-leading vulnerability research team. By leveraging Phylum’s unparalleled database of malicious packages and its advanced investigation methods, we now detect significantly more malicious packages than any other vendor. The combined expertise of Veracode and Phylum creates superior research on emerging threats and best practices.
A proactive approach to security
Phylum’s technology acts as a robust firewall for open source software packages. We carefully scan and analyze third-party libraries as soon as they are made public. This immediate response ensures that only secure and approved software packages are deployed into the client’s development environment. It’s a proactive, policy-driven approach that not only identifies threats, but also predicts and neutralizes them before they can cause harm.
Future roadmap and continuous innovation
We plan to release these features to the market by the first half of 2025. Investing in software supply chain protection and risk management across applications is Veracode’s sole focus. We are excited to continue to innovate in these areas and help our customers innovate while providing secure software.
Schedule a demo today to learn more about how we can help you build a secure future.
