Sonar today revealed it has agreed to acquire Tidelift to gain access to third-party open-source code that it plans to integrate into its static code analysis tools.
Harry Wang, vice president of growth and new ventures for Sonar, said that while the company’s existing portfolio makes it possible for DevSecOps teams to analyze code they have written, the integration with a Tidelift platform that identifies dependencies and associate flaws in open source software will extend the reach of the Sonar platform.
The combined company will reveal specific product plans early in 2025, said Wang. Earlier this year, Sonar in addition to adding generative artificial intelligence (AI) capabilities to its core platform for remediating vulnerabilities, also unveiled a tool that identifies vulnerabilities in code generated by artificial intelligence (AI) platforms.
That AI Code Assurance tool makes use of the core engine Sonar, developed for analyzing code to surface issues in code generated by platforms such as Chat GPT. At the same time, Sonar launched AI CodeFix, a tool that invokes large language models (LLMs) to surface recommendations for improving code, that development teams approve before being automatically applied.
The combined company will continue to be committed to keeping human developers in the loop as more code is generated using AI platforms, said Wang. The challenge is that the volume of code that will soon be generated will overwhelm the DevSecOps teams that are dedicated to ensuring that code that makes it into a production environment is of the highest quality possible, as organizations embrace secure-by-design principles, he added.
It’s not clear how much DevSecOps progress is being made, but a Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. Only 54% of respondents regularly practice code scanning for vulnerabilities during development, while 40% conduct security testing, the survey finds.
On the plus side, a full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. Nearly two-thirds (64%) also noted they are specifically investing in a code scanning tool, with 24% describing those investments as high.
Regardless of the current level of commitment to DevSecOps and code scanning, it’s only a matter of time before more stringent regulations require organizations to ensure that routine vulnerabilities don’t find their way into production applications. Organizations will need to be able to demonstrate that reasonable efforts were made to protect the software supply chain that was relied on to build and deploy software.
As a result, most organizations will be revisiting software supply chain security in the months ahead, either before or shortly after those regulations go into effect.
In the meantime, securing application software in an era where the dependencies on third-party code provided by maintainers of open-source repositories remains a major concern. The challenge now is finding a way to secure applications regardless of who, or what, created the code that drives them.
