Third-Party Risk Management,
Governance & Risk Management
Sonar Targets Open-Source Library Risks, Enhancing DevSecOps
Sonar, a Geneva-based code security provider, has announced its intention to acquire Tidelift, a startup with experience in maintaining and securing third-party open-source code libraries. This acquisition aims to bolster code quality and security by leveraging Tidelift’s network of open-source maintainers.
Harry Wang, Sonar’s Vice President of Growth and New Ventures, noted that this move aligns with Sonar’s mission to help developers create better software by identifying and addressing both quality and security issues within their code. This acquisition is expected to enhance Sonar’s existing capabilities in first-party and AI-generated code verification.
Tidelift, founded in 2017 and based in Boston, has raised $73.5 million in funding, with its most recent $33.5 million Series C round led by Dorilton Ventures. The company is recognized for engaging directly with library developers to ensure real-time information regarding vulnerabilities and necessary updates, consistently addressing reliability in third-party libraries.
Addressing Third-Party Code Security Challenges
The integration of Tidelift represents a critical advancement for Sonar, especially considering the predominance of open-source libraries in modern software development. Wang explained that Tidelift’s network of over 400 maintainers provides essential human-verified insights, filling the gaps in third-party library security efforts.
Wang emphasized that the collaboration would not only extend the detection of quality and security issues but would harness Tidelift’s real-time information stream, contrasting with existing solutions that often rely on outdated vulnerability databases. This strategy will allow Sonar to integrate human-verified intelligence into its software development and security tools, enabling more effective end-to-end code protection.
Tidelift’s unique approach focuses on engaging the developers responsible for maintaining libraries, ensuring consistent updates and vulnerability disclosures. By connecting this information with Sonar’s offerings through APIs, clients will gain seamless access to Tidelift’s insights directly within the SonarQube interface, streamlining code analysis and bolstering security protocols.
Enhancing Security for AI-Generated Code
As the prevalence of AI-generated code grows, Tidelift’s network of open-source maintainers will also play a crucial role in verifying the integrity and security of these new code outputs. Wang noted that the acquisition positions Sonar to leverage Tidelift’s intelligence to create feedback loops for the continuous improvement of AI-generated software.
For organizations across sectors like finance and government, where compliance and security are paramount, Tidelift’s maintainers offer added assurance regarding the reliability of open-source components used within applications. By providing actionable insights, the joint Sonar-Tidelift platform aims to streamline development processes while maintaining enhanced security standards.
Wang stated that the integration would focus on delivering precise information to developers, reducing the burden of security issues and allowing for clearer remediation pathways. This developer-centric approach is designed to alleviate the challenges posed by an increasingly complex cybersecurity landscape.
In light of ongoing consolidation within the software development industry, Sonar remains committed to exploring strategic growth opportunities. Following its acquisition of Structure101, a code structure analysis company, Sonar is well-positioned to pursue further enhancements to its offerings, ensuring it stays at the forefront of software security innovations.
