Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybersecurity Funding

Open Source Management Firm FOSSA Raises $23 Million

FOSSA Provides End-to-End Governance for Third-Party Code

FOSSA Provides End-to-End Governance for Third-Party Code

San Francisco, CA-based FOSSA — an open source management firm — has raised $23.2 million in a Series B funding round from Bain Capital Ventures, Canvas Ventures and Costanoa Ventures; bringing the total raised to $35 million. 

The company has simultaneously launched FOSSA Security Management, a product designed to help organizations secure their software supply chain — that is, the uncontrolled inclusion and use of open source software within their own software development. Gartner’s Technology Insight for Software Composition Analysis, published in November 2019, estimated that 90% of the code in 90% of software in development and production is open source. 

FOSSA LogoIn June 2020, RiskSense reported on more than 1,000 vulnerabilities in just 54 popular open source projects during 2019. Between 2015 and 2020, almost 2,700 were reported and given CVE designations; and 89 of these vulnerabilities were weaponized. Companies must take the security of open source software included in their own software development seriously.

The problem goes beyond the vulnerabilities and includes accurate open source license maintenance. Historically, however, there has been little to help companies do this. This is the purpose of FOSSA Security Management, to provide a complete vulnerability and license scanning solution for open source software built on top of clear standards across teams and timelines.

CEO and founder Kevin Wang described the product to SecurityWeek. It uses proprietary analysis tools to dig into the open source software being used in development to find the vulnerability and license issues that might be missed by the developers. This analysis is integrated with a centralized policy engine. The policy is usually defined by the legal team, the security team, and the engineering team, and will differ from company to company, and even application to application. The policy defines the rules of governance around what the company’s vulnerability management posture is like, what licenses are acceptable, and what is considered high quality code.

“The important thing,” said Wang, “is you have a centralized place where these rules can be kept and from where they can be automatically quantified and enforced throughout the development process.”

“With FOSSA,” says the firm, “organizations can actively monitor their open source software for vulnerability and license risks and enforce the appropriate risk policies across their teams at scale for continuous risk mitigation.” In an associated blog, the firm claims that the new product allows organizations to monitor their open source software for vulnerability and license risks as a single automated process during development and deployment, and enforce appropriate policies. “In fact,” it says, “FOSSA users benchmark 47% fewer false-positives by finding vulnerabilities in the dependencies they actually rely on earlier in the SDLC.”

Fossa was founded in 2015 by Wang. It raised $8.5 million in a Series A funding round announced in September 2019. The new funding will assist product development, and enhance FOSSA’s expansion into EMEA.

Advertisement. Scroll to continue reading.

Related: GrammaTech Releases Open Source API Security Tool 

Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities 

Related: New GitHub Security Lab Aims to Secure Open Source Software 

Related: Cybersecurity Firms Partner on Open Source Security Technology Development

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.