Innovating to Secure Software Supply Chains: Veracode Acquires Phylum, Inc. Technology for Enhanced Software Composition Analysis

The rise of emerging open-source threats presents a growing risk to organizations as attackers increasingly exploit vulnerabilities in widely used libraries, frameworks, and tools. In fact, most Software Composition Analysis (SCA) tools on the market today are unable to keep up with the volume of new overtly malicious activities in the open-source ecosystem.  

To address the critical threat, I’m excited to announce Veracode’s acquisition of Phylum Inc.’s technology to advance our capabilities in securing software supply chains. The addition of Phylum will help the market’s ability to combat threats through the advanced detection and mitigation of malicious packages in open-source libraries. 

The dependencies of software teams on open-source libraries and the threats targeting these libraries make detecting and blocking malicious packages more critical than ever. Malicious packages often contain code designed to extract sensitive information such as credentials, API keys, or personal data. Detecting these packages is a key component in application risk management, helping prevent and mitigate security breaches. 

How Phylum Addresses the Malicious Package Risk 

The core of Phylum's technology revolves around a sophisticated package management firewall and a comprehensive database dedicated to malicious packages. These tools are crucial for real-time detection and blocking open-source security threats early in the development pipeline. By integrating these technologies, Veracode strengthens our ability to offer a proactive defense mechanism against network infections, data theft, and remote code execution risks. 

Enhancing Software Composition Analysis (SCA) 

The integration of Phylum's automated tools into our Software Composition Analysis (SCA) solutions will give customers a holistic view of the risks associated with their open-source library usage. The integrated solution will be governed by Veracode’s integrated, customizable policy engine, providing effective controls for managing open-source risk. The technology will shorten the window of opportunity for attackers by automating the entire process of malicious code analysis. Threats are identified and mitigated faster than ever, providing an essential layer of security that keeps our customers' applications secure. 

Incorporating Phylum's Research and Expertise 

The integration of Phylum's research and team is an exciting addition to our industry-leading vulnerability research team. Leveraging Phylum's unparalleled database of malicious packages and their advanced research methodologies, we now detect substantially more malicious packages than other vendors. The combination of Veracode and Phylum’s expertise will yield superior research on new threats and best practices.  

A Proactive Approach to Security 

Phylum’s technology acts as a robust firewall for open-source software packages. It meticulously scans and analyzes third-party libraries as soon as they are published. This immediate response ensures that only secure, approved software packages make their way into our clients’ development environments. It's a proactive and policy-driven approach that not only identifies threats but also anticipates and neutralizes them before they can cause harm. 

Future Roadmaps and Continued Innovation 

Through the first half of 2025, we will be releasing these capabilities into the market. The investment in securing software supply chains and managing overall application risk is Veracode’s singular focus. We are excited to continue to deliver innovation in these areas and also help our customers innovate, while delivering secure software.  

Schedule a demo today to learn more about how we can help you build a secure future.