Checkmarx, an Israeli provider of static application security testing (AST), has acquired open-source supply chain security startup Dustico for an undisclosed sum.

Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains.

The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks.

Dustico’s technology,analyses open source packages using a three-pronged approach.

  • It factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community
  • Examines the health of packages to determine their level of maintenance.
  • Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans.

This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.

Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.

Chekmarx CEO

The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment