Veracode Enhances Supply Chain Security Through Phylum Acquisition

Veracode has acquired Phylum, a Denver-based startup specializing in software supply chain security, to bolster its capabilities in real-time detection of malicious open-source packages. This acquisition marks a strategic move to counter the rising tide of software supply chain attacks, which have escalated significantly in recent years.

According to Ravi Iyer, Veracode’s Chief Product Officer, the increase in software supply chain incidents necessitates robust measures, such as a comprehensive vulnerability database and ongoing monitoring. “Phylum’s detection capabilities will be integrated into Veracode’s software composition analysis (SCA) platform,” Iyer stated, emphasizing the critical nature of this integration amid rising security risks.

The urgency behind this acquisition is underscored by a notable increase in the number of malicious packages identified in open-source environments, rising from a few thousand per quarter to exceeding 10,000 within the last three months. Iyer remarked, “More software is being developed with open-source material, and this presents a significant attack vector that threatens numerous applications and businesses.” As a result, Veracode recognized the necessity of rapid integration of advanced detection tools to better serve its clientele.

Founded in 2020, Phylum has raised a total of $19.5 million in funding, including a recent $15 million Series A round led by ClearSky. The company is helmed by Aaron Bray, whose experience includes roles as a red team developer at Sony and as a computer scientist in the Air Force. This expertise contributes to Phylum’s capacity to detect and analyze malicious packages using advanced machine learning and heuristics.

The acquisition is part of Veracode’s broader strategy to enhance its SCA offerings, aiming to deliver advanced security capabilities faster than building similar tools in-house, which could hinder their competitive position. Phylum’s efficient detection mechanisms are designed to function at scale while maintaining a low rate of false positives, a critical attribute in the current cybersecurity landscape.

As Veracode integrates Phylum’s tools, the focus will be on enhancing the existing SCA workflows. This synergy aims to provide customers with a unified platform for identifying and mitigating threats effectively. Initially, Veracode will concentrate on serving its existing clients in industries like finance before expanding its reach to new sectors and regions.

The acquisition not only enhances Veracode’s technological arsenal but also positions the company to elevate its SCA capabilities to new levels. By integrating Phylum’s advanced features, Veracode expects to align with evolving industry standards, thereby improving overall software supply chain maturity.

Ultimately, the success of this acquisition will be evaluated based on the adoption of Phylum’s technology by Veracode’s customer base. Key performance indicators will include the extent to which customers utilize the new offering, the effectiveness of blocking malicious packages, and the generation of new business avenues. Iyer highlighted, “How many of our existing customers upgrade to the new offerings and prevent incoming malicious packages will be crucial metrics moving forward.”