Snyk bolsters open source software security with FossID acquisition

Open source software vulnerability scanning platform Snyk has acquired FossID, a Swedish startup that develops a software composition analysis tool for open source code.

Though the two companies very much operate in the same space, bringing FossID under its wing will give Snyk greater coverage for open source license compliance issues and more extensive support for software written in C and C++.

Snyk, which was founded out of London in 2015, helps developer teams find and address vulnerabilities and license violations in their open source code bases, containers, and Kubernetes applications through tapping a giant internal database it maintains internally. The company counts high-profile customers such as Google, Twilio, Atlassian, and Salesforce.

Language support

Snyk currently supports dozens of languages such as Java, Javascript, Golang, Python, Ruby, and Scala, and although it did have some support for C/C++, FossID is the missing piece of the puzzle that allows it to go deeper.

C and C++ is used by million of developers, and is used partly or wholly in major applications from Amazon and YouTube to Photoshop, as well as a wide range of open source software such as database management system MySQL, Firefox, Google’s Chromium browser, and myriad legacy applications.

“It’s a broad ecosystem,” Snyk cofounder and president Guy Podjarny told VentureBeat. “This acquisition helps us reach all 6.3 million C/C++ developers, and bring them the combined depth of analysis FossID offers with the great developer experience Snyk is known for.”

Founded out of Stockholm in 2016, FossID has amassed a decent roster of customers including Bosch, Ericsson, and companies from across the automotive, finance, and manufacturing spheres.

Snippets

FossID claims to be adept at identifying vulnerabilities in “all forms” of open source, including small snippets that have been copied from an open source software package. Traditionally, this has been difficult to achieve at scale.

“This acquisition will help Snyk identify ‘messier’ uses of open source,” Podjarny explained. “This includes binaries downloaded from the Internet, snippets of code copy-pasted from StackOverflow into a commercial code base, or source code that was downloaded, modified and then used.”

FossID tracks two petabytes of open source code from its internal data warehouse, and leverages AI to match code between that database and the customer’s own code base.

“This helps you find those pieces of open source, which in turn helps find and address vulnerabilities in them and track license issues to stay compliant,” Podjarny added. “This will be especially useful when securing embedded, gaming, trading, and legacy enterprise applications.”

Put simply, bolstering its own data pool and diving deeper into C and C++ broadens Snyk’s horizons significantly.

As a result of the acquisition, FossID will be integrated into Snyk Open Source, Snyk’s software composition analysis (SCA) product. It also comes hot on the heels of a flurry of activity across the open source security and compliance landscape.

Just last month, WhiteSource raised $75 million from prominent investors such as Microsoft’s M12, which followed Snyk itself securing a fresh $300 million cash injection at a valuation of $4.7 billion. And earlier this week, cybersecurity giant Trend Micro announced a new partnership with Snyk to offer its own customers a new product that gives security teams (rather than developers) insights into vulnerabilities and compliance risks across their open source code.