INSUBCONTINENT EXCLUSIVE:
Open source software is now a $14 billion+ market and growing fast, in use in one way or another in 95 percent of all enterprises
But that expansion comes with a shadow: open source components can come with vulnerabilities, and so their widespread use in apps become a
liability to a company cybersecurity.
Now, a startup out of the UK called Snyk, which has built a way to detect when those apps or
components are compromised, is announcing a $22 million round of funding to meet the demand from enterprises wanting to tackle the issue
head on.
Led by Accel, with participation from GV plus previous investors Boldstart Ventures and Heavybit, this Series B notably is the
second round raised by Snyk within seven months — it raised a $7 million Series A in March
That a measure of how the company is growing (and how enthusiastic investors are about what it has built so far)
The startup is not disclosing its valuation but a source close to the deal says it is around $100 million now (it raised about $33 million
to date).
As a measure of Snyk growth, the company says it now has over 200 paying customers and 150,000 users, with revenues growing
five-fold in the last nine months
In March, it had 130 paying customers.
(Current clients includeASOS, Digital Ocean, New Relic and Skyscanner, the company said.)
Snyk plays
squarely in the middle of how the landscape for enterprise services exists today
It provides options for organisations to use it on-premises, via the cloud, or in a hybrid version of the two, with a range of paid and free
tiers to get users acquainted with the service.
GuyPodjarny, the company CEO who co-founded Snyk with Assaf Hefetz and Danny Grander,
explained that Snyk works in two parts
First,the startup has built a threat intelligence system ''that listens to open source activity.& Tapping into open-conversation platforms
— for example, GitHub commits and forum chatter — Snyk uses machine learning to detect potential mentions of vulnerabilities
It then funnels these to a team of human analysts, &who verify and curate the real ones in our vulnerability DB.
Second, the company
analyses source code repositories — including, again, GitHub as well as BitBucket — ''to understand which open source components each
one uses, flag the ones that are vulnerable, and then auto-fix them by proposing the right dependency version to use and through patches our
security team builds.
Open source components don''t have more vulnerabilities than closed source ones, he added, &but their heavy reuse
makes those vulnerabilities more impactful.& Components can be used in thousands of applications, and by Snyk estimation, some 77 percent of
those applications will end up with components that have security vulnerabilities.&As a result, the chances of an organisation being
breached through a vulnerable open source component are far greater than a security flaw purely in their code.
Podjarny says there is no
plans to try to tackle proprietary code longer term but to expand how it can monitor apps built on open source.
Our focus is on two fronts &
building security tools developers love, and fixing open source security,& he said
&We believe the risk from insecure use of open source code is far greater than that of your own code, and is poorly addressed in the
We do intend to expand our protection from fixing known vulnerabilities in open source components to monitoring and securing them in
runtime, flagging and containing malicious and compromised components.
While this is a relatively new area for security teams to monitor and
address, he added that theEquifax breach highlighted what might happen in the worst-case scenario if such issues go undetected
Snykis not the only company that has identified the gap in the market
Black Duck focuses on flagging non-compliant open source licences, and offers some security features as well.
However, it is Snyk — whose
name derives from a play on the word &sneak&, combined with the acronym meaning &so now you know& — that seems to be catching the most
attention at the moment.
Some of the largest data breaches in recent years were the result of unfixed vulnerabilities in open source
dependencies; as a result, we&ve seen the adoption of tools to monitor and remediate such vulnerabilities grow exponentially,& said Philippe
Botteri, partner at Accel, who is joining the board with this round
&We&ve also seen the ownership of application security shifting towards developers
We feel thatSnykis uniquely positioned in the market given the team deep security domain knowledge and developer-centric mindset, and are
thrilled to join them on this mission of bringing security tools to developers.
