Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Cybersecurity Funding

Open Source Management Firm FOSSA Raises $23 Million

FOSSA Provides End-to-End Governance for Third-Party Code

FOSSA Provides End-to-End Governance for Third-Party Code

San Francisco, CA-based FOSSA — an open source management firm — has raised $23.2 million in a Series B funding round from Bain Capital Ventures, Canvas Ventures and Costanoa Ventures; bringing the total raised to $35 million. 

The company has simultaneously launched FOSSA Security Management, a product designed to help organizations secure their software supply chain — that is, the uncontrolled inclusion and use of open source software within their own software development. Gartner’s Technology Insight for Software Composition Analysis, published in November 2019, estimated that 90% of the code in 90% of software in development and production is open source. 

FOSSA LogoIn June 2020, RiskSense reported on more than 1,000 vulnerabilities in just 54 popular open source projects during 2019. Between 2015 and 2020, almost 2,700 were reported and given CVE designations; and 89 of these vulnerabilities were weaponized. Companies must take the security of open source software included in their own software development seriously.

The problem goes beyond the vulnerabilities and includes accurate open source license maintenance. Historically, however, there has been little to help companies do this. This is the purpose of FOSSA Security Management, to provide a complete vulnerability and license scanning solution for open source software built on top of clear standards across teams and timelines.

CEO and founder Kevin Wang described the product to SecurityWeek. It uses proprietary analysis tools to dig into the open source software being used in development to find the vulnerability and license issues that might be missed by the developers. This analysis is integrated with a centralized policy engine. The policy is usually defined by the legal team, the security team, and the engineering team, and will differ from company to company, and even application to application. The policy defines the rules of governance around what the company’s vulnerability management posture is like, what licenses are acceptable, and what is considered high quality code.

“The important thing,” said Wang, “is you have a centralized place where these rules can be kept and from where they can be automatically quantified and enforced throughout the development process.”

“With FOSSA,” says the firm, “organizations can actively monitor their open source software for vulnerability and license risks and enforce the appropriate risk policies across their teams at scale for continuous risk mitigation.” In an associated blog, the firm claims that the new product allows organizations to monitor their open source software for vulnerability and license risks as a single automated process during development and deployment, and enforce appropriate policies. “In fact,” it says, “FOSSA users benchmark 47% fewer false-positives by finding vulnerabilities in the dependencies they actually rely on earlier in the SDLC.”

Fossa was founded in 2015 by Wang. It raised $8.5 million in a Series A funding round announced in September 2019. The new funding will assist product development, and enhance FOSSA’s expansion into EMEA.

Related: GrammaTech Releases Open Source API Security Tool 

Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities 

Related: New GitHub Security Lab Aims to Secure Open Source Software 

Related: Cybersecurity Firms Partner on Open Source Security Technology Development

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.