WhiteSource company logo

The profile is currenly unclaimed by the seller. All information is provided by CB Insights.

whitesourcesoftware.com

Founded Year

2011

Stage

Series D | Alive

Total Raised

$123.6M

Last Raised

$75M | 1 yr ago

Mosaic Score

+30 points in the past 30 days

What is a Mosaic Score?
The Mosaic Score is an algorithm that measures the overall financial health and market potential of private companies.

About WhiteSource

WhiteSource makes it easy for commercial software developers to keep track of OSS components, their licenses, risks, and requirements, and do so in an affordable fashion and without burdening developers.

WhiteSource Headquarter Location

93 Summer St

Boston, Massachusetts, 02110,

United States

917-688-4142

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Expert Collections containing WhiteSource

Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.

WhiteSource is included in 1 Expert Collection, including Cybersecurity.

C

Cybersecurity

4,902 items

WhiteSource Patents

WhiteSource has filed 8 patents.

The 3 most popular patent topics include:

  • Application programming interfaces
  • Compiler construction
  • Free computer libraries
patents chart

Application Date

Grant Date

Title

Related Topics

Status

5/20/2021

3/29/2022

Compiler construction, Remote procedure call, Compiler optimizations, Subroutines, Parallel computing

Grant

Application Date

5/20/2021

Grant Date

3/29/2022

Title

Related Topics

Compiler construction, Remote procedure call, Compiler optimizations, Subroutines, Parallel computing

Status

Grant

Latest WhiteSource News

7 top software supply chain security tools

May 11, 2022

These tools will help identify vulnerabilities and threats posed by third-party code through software composition analysis and SBOM creation. Thinkstock As the fallout from the Apache Log4J vulnerabilities earlier this year shows, the biggest risks in enterprise software today are not necessarily with insecure code written directly by in-house software development teams. The flaws of the components, libraries and other open-source code that makes up the bulk of today’s software code bases are the underwater part of the insecurity iceberg. The truth is that so much of the enterprise software and custom applications produced by DevOps teams and software engineering groups is not actually coded by their developers. Modern software today is modular. Developers use what is called a microservices architecture to make new applications by constructing them a lot like a Lego house—using blocks that are made of premade code. Rather than reinventing the wheel every time they need their application to perform a common function, developers root around in their proverbial box of blocks to find just the right one that will do what they need without a lot of fuss. That box is today’s ever-expanding software supply chain, a sometimes very informal source of code that flows from the millions of GitHub repositories and open-source projects floating around online today. It consists of components and libraries used in myriad applications and in the underlying application and development infrastructure used to construct modern development pipelines. Of course, the programs provided by this supply chain aren’t really bricks and they don’t always interlock perfectly, so developers create custom code to glue all those pieces together. In fact, many often then turn those creations into yet more open-source projects for others to solve similar problems. Which is one reason why the software supply chain keeps growing. Applications built with third-party code A modern application is mostly made up of third-party code. According to Forrester , the percentage of open-source code that makes up an average application’s code base rose from 36% in 2015 to 75% in 2020. It’s a faster, more scalable way to quickly develop but like all technology innovation it comes with added cyber risk unless proper care is taken. It’s the dirty little secret of the development world that the components co-opted from today’s software supply chain can very easily be out of date and riddled with vulnerabilities. Making things even more complicated is the fact that that flaws are often nested together as different projects may have dependencies to others in the supply chain. Sometimes the flaws can even be purposely added by attackers who seed open-source software intentionally with vulnerabilities. The vulnerabilities introduced by the software supply chain can be like hidden cybersecurity landmines in enterprise software, particularly when organizations do nothing to formally govern how their developers use the software supply chain. Many organizations barely even track—let alone vet or manage—the kinds of components, libraries, and developer tools that go into or produce the code that their developers commit. According to a study released by Linux Foundation , fewer than half of organizations use a software bill of materials (SBOM) that tracks exactly what goes into their applications from the software supply chain. Creating an SBOM is foundational for supply chain security, alongside open-source governance and securing the infrastructure as code elements that touch applications throughout the SDLC. The following is a list of tools that help accomplish this, with a heavy emphasis on software composition analysis (SCA) tools that focus specifically on developing SBOM, raising visibility into what goes into software and remediating flaws in components that are the building blocks of software today. Top supply chain security tools Contrast Security Known best for its Interactive Application Security Testing (IAST) technology that detects vulnerabilities in applications via an agent running on the application server, Contrast Security provides SCA capabilities as part of a full slate of testing in its open platform, which also does dynamic application security testing (DAST), static application security testing (SAST) , runtime application scanning protection (RASP), and serverless security checks on AWS Lambda infrastructure. The tooling can not only generate an SBOM but also contextualize flaws across the various ingredients that make up an application by visualizing application architecture, code trees and message flow information to aid in threat modeling remediation. Open-source governance is embedded within modern development workflows and tooling and Contrast’s bread and butter is in bridging the divide between developers and security teams, making it a major player in the DevSecOps market. Shiftleft A relative newcomer in this field of options, ShiftLeft is designed to fit into the development workflow of forward-thinking DevOps teams. The core value is in bringing together SCA and SAST into a single scan that’s done when a developer makes a pull request. The technology uses a technique the company calls Code Property Graph (CPG) to map out dependencies and data flows across custom code, open-source libraries, SDKs and APIs, seeking out not only flaws across the entire application—including its open-source components—but also logical app weaknesses. Supply chain flaws are prioritized by susceptibility to attack using a “reachability” index that’s inserted into the SBOM that puts it in context of how attackable the component is based on how it is used in the application. Snyk Snyk is a cloud-native, developer-centric set of tooling that’s purpose-built for DevSecOps and cloud-native development shops. Best known for its SCA and container security scan capabilities, it also offers SAST and API vulnerability testing. In February, 2022 the company purchased Fugue , a cloud security posture management company. As Gartner explained, its blend of offerings across infrastructure as code security, container security, and application security are representative of the fact that “application and infrastructure layers increasingly blur together. It’s usually bought on the developer side but is worth a look for CSOs and security staff seeking to move toward a democratized model of developer-run security testing and remediation. Sonatype Nexus One of the longest-running offerings in the SCA market, Sonatype was billing itself as a “software supply chain security” company long before the term was sneaking its way into the titles of security conference and webinar sessions. The heart of the the Sonatype Nexus platform is its capabilities for creating detailed SBOMs and policy management. Forrester analysts say , “Policy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards and a policy engine that allows users to create and assign policies to certain types of applications.” Policies can be applied not only for what goes into the code but also in managing the security and configuration of the surrounding infrastructure as code and containers that are used to develop and deploy applications. Sonatype also offers repository management to provide a single source of truth for all components, binaries, and build artifacts. Nexus’s visualization of component history and Sonatype’s customer service are also called out by the analysts as its big strengths. Last year Sonatype also picked up MuseDev in an acquisition that helped it build out its Sonatype Lift capabilities, which provide dev-friendly code quality analysis during code review. Synopsys Black Duck Synopsys’ Black Duck SCA tool does four types of analysis—dependency, codeprint, binary and snippet—to track and manage the components used within an organization’s software. Synopsis recently improved Black Duck’s SBOM creation capabilities to include BLANK. In addition to creating bills of materials, the tool also performs automated policy management. Black Duck is part of the broader portfolio of AppSec tools offered by Synopsys, which Gartner named as a leader in its Application Security Testing Magic Quadrant . The open platform model it uses to deliver SCA alongside DAST, SAST, penetration testing, fuzzing and a range of other testing capabilities is a key value proposition. It “makes Synopsys a good fit for organizations with complex, multiteam development, using a mix of development styles and programming technologies,” says Gartner. Veracode A longtime powerhouse in the traditional appsec testing market with its mature SaaS product that has long dominated the SAST and DAST arenas, Veracode in the last few years has been putting heavy investment in SCA. Following its acquisition of SourceClear in 2018 there was some bifurcation between its homegrown SCA capabilities and what it offered through SourceClear, but Veracode Software Composition Analysis is now a single product available through the platform. “Veracode’s roadmap focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC [Infrastructure as Code] security capabilities,” explains Forrester analysts. They say the high points for Veracode is its remediation reports and dependency graphing. The biggest point of friction, they noted, was difficulty of integrating it into developer workflows. White Source Software A big highlight of WhiteSource Software’s SCA tooling is in the developer-friendly remediation of component security issues, including alerting and fixing out-of-date and malicious components. “WhiteSource’s thought leadership is focused on remediation and prioritization,” wrote Forrester analysts , who deem this vendor a leader in the SCA space. “WhiteSource offers differentiating features, including a browser plugin to help avoid problematic components and removing unreachable vulnerabilities from the developer’s queue to improve developer experience.” One point in which they say it lags is in its lack of out-of-the box policies. More on application security:

WhiteSource Web Traffic

Rank
Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

WhiteSource Rank

  • When was WhiteSource founded?

    WhiteSource was founded in 2011.

  • Where is WhiteSource's headquarters?

    WhiteSource's headquarters is located at 93 Summer St, Boston.

  • What is WhiteSource's latest funding round?

    WhiteSource's latest funding round is Series D.

  • How much did WhiteSource raise?

    WhiteSource raised a total of $123.6M.

  • Who are WhiteSource's competitors?

    Competitors of WhiteSource include GitGuardian and 1 more.

You May Also Like

Contrast Security Logo
Contrast Security

Contrast Security is a provider of security technology that enables software applications to protect themselves against cyber attacks. Contrast's patented deep security instrumentation is the technology that enables highly accurate analysis and always-on protection of an entire application portfolio, without scanning.

B
Bright Security

Bright Security, fka NeuraLegion, helps improve application security at a lower cost by providing a 0-false positive, AI-powered DAST, and Fuzzer solutions that are purpose-built for modern development environments. It is based in Tel Aviv, Israel.

Snyk Logo
Snyk

Snyk is an open-source security platform designed to help software-driven businesses enhance developer security. Snyk's dependency scanner finds, prioritizes, and fixes vulnerabilities and license violations in open source dependencies and container images.

S
Sike Cloud

Sike Cloud is one of the leading source code security testing solution providers in China, with completely independent intellectual property rights. In addition to source code testing products.

Aqua Security Logo
Aqua Security

Aqua Security enables enterprises to secure their virtual container environments from development to production, accelerating container adoption and bridging the gap between DevOps and IT security. Aqua's Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance.

GitGuardian Logo
GitGuardian

GitGuardian offers a developers-first solution scanning GitHub activity in real-time for API secret tokens, database credentials, and certificates.

Discover the right solution for your team

The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.

Request a demo

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.