News, news analysis, and commentary on the latest trends in cybersecurity technology.

Veracode Buys Package Analysis Technology From Phylum

The deal adds Phylum's technology for malicious package analysis, detection, and mitigation to Veracode's software composition analysis portfolio.

Fahmida Y. Rashid, Managing Editor, Features

January 7, 2025

2 Min Read
a sign with the words 'open source' written in blue
Source: Yury Zap via Alamy Stock Photo

NEWS BRIEF

Application security company Veracode has acquired malicious package analysis, detection, and mitigation technology from software supply chain security startup Phylum, along with some staff who worked on package analysis.

The technology will enhance Veracode's capabilities to identify and block malicious code in open source libraries, giving customers a more comprehensive view of the risks associated with using open source code, the company said. The new staff will join Veracode's security research team.

The deal comes at a time when organizations are increasingly concerned about the risks of vulnerabilities in open source code.

Founded in 2020, Phylum specializes in technologies for analyzing, detecting, and mitigating malicious software packages. The tools provide instant analysis of newly published packages, helping organizations identify and blocks in real time. Back in 2022, when Phylum won Black Hat's first Innovation Spotlight competition, co-founder Peter Morgan described package analysis as looking at risk indicators to create a "credit score for packages."

Phylum’s recent research identified nearly half a million malicious packages, including campaigns targeting finance and cryptocurrency companies.

Veracode's platform is used by organizations to scan code to understand exploitable risks, identify and remediate vulnerabilities, and reduce security debt. With Phylum's technology, Veracode can significantly reduce the attack window by helping customers identify the existence of malicious packages in their applications much faster, the company said.

The malicious package database and package management firewall will be integrated into Veracode's Software Composition Analysis product, with general availability expected early this year, Veracode said.

"With Phylum's unmatched database and cutting-edge research—proven to detect 60 percent more malicious packages than any other vendor—our customers will gain the confidence to innovate faster, knowing their software is protected against evolving threats," said Ravi Iyer, Veracode's chief product officer, in a statement.

Veracode did not disclose the financial terms of the transaction.

Read more about:

News Briefs

About the Author

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights