FOSSA Provides End-to-End Governance for Third-Party Code
San Francisco, CA-based FOSSA — an open source management firm — has raised $23.2 million in a Series B funding round from Bain Capital Ventures, Canvas Ventures and Costanoa Ventures; bringing the total raised to $35 million.
The company has simultaneously launched FOSSA Security Management, a product designed to help organizations secure their software supply chain — that is, the uncontrolled inclusion and use of open source software within their own software development. Gartner’s Technology Insight for Software Composition Analysis, published in November 2019, estimated that 90% of the code in 90% of software in development and production is open source.
In June 2020, RiskSense reported on more than 1,000 vulnerabilities in just 54 popular open source projects during 2019. Between 2015 and 2020, almost 2,700 were reported and given CVE designations; and 89 of these vulnerabilities were weaponized. Companies must take the security of open source software included in their own software development seriously.
The problem goes beyond the vulnerabilities and includes accurate open source license maintenance. Historically, however, there has been little to help companies do this. This is the purpose of FOSSA Security Management, to provide a complete vulnerability and license scanning solution for open source software built on top of clear standards across teams and timelines.
CEO and founder Kevin Wang described the product to SecurityWeek. It uses proprietary analysis tools to dig into the open source software being used in development to find the vulnerability and license issues that might be missed by the developers. This analysis is integrated with a centralized policy engine. The policy is usually defined by the legal team, the security team, and the engineering team, and will differ from company to company, and even application to application. The policy defines the rules of governance around what the company’s vulnerability management posture is like, what licenses are acceptable, and what is considered high quality code.
“The important thing,” said Wang, “is you have a centralized place where these rules can be kept and from where they can be automatically quantified and enforced throughout the development process.”
“With FOSSA,” says the firm, “organizations can actively monitor their open source software for vulnerability and license risks and enforce the appropriate risk policies across their teams at scale for continuous risk mitigation.” In an associated blog, the firm claims that the new product allows organizations to monitor their open source software for vulnerability and license risks as a single automated process during development and deployment, and enforce appropriate policies. “In fact,” it says, “FOSSA users benchmark 47% fewer false-positives by finding vulnerabilities in the dependencies they actually rely on earlier in the SDLC.”
Fossa was founded in 2015 by Wang. It raised $8.5 million in a Series A funding round announced in September 2019. The new funding will assist product development, and enhance FOSSA’s expansion into EMEA.