Security and compliance company HeroDevs has acquired New York-based startup company Xeol. Pronounced zee-oh-el, Xeol focuses on end-of-life software detection intelligence. With HeroDev’s focus on what the company calls “deprecated open source” (by which it means condemned software packages that are past their end-of-life, rather than those that are deplorable or abhorrent), the combined technology stacks here both align towards the unloved end of the application management spectrum.
Championing what it calls “never-ending support” solutions for software that has been consigned to the legacy graveyard, HeroDevs says it can now more broadly help developers reliant on open-source software. It can now do this through visibility into Xeol’s platform, which tracks end-of-life data across more than 100,000 open-source software packages.
Useful when tracking and identifying potential cybersecurity risks within software supply chains, the two technologies working in concert here are said to be a way to keep open-source software stays patched and secured. This is especially valuable to businesses that need to adhere to strict compliance standards that prohibit the use of unsupported software, such as FedRAMP, HIPAA, PCI DSS and SOC 2.
It’s Free, To Developers
“When it comes to securing your applications, the first step is knowing you have a problem and for many, that is the biggest challenge,” said Aaron Frost, HeroDevs founder and CEO. “The Xeol team has built an extremely large, exhaustive database of open-source software that has reached its end-of-life and could therefore put organizations at risk. We will make this comprehensive database available to the public for free so developers, CISOs and technology leaders can easily ensure their applications are secure and safeguarded against data breaches.”
When open-source software packages reach their end-of-life and are no longer maintained by the organizations and developers building them, using that software can be a threat vector for hackers and data breaches. Most software security scanners track common vulnerabilities and exposures, however, tracking threats for unsupported, deprecated open-source software is more challenging, as developers overseeing those projects do not have the resources to reproduce and validate the vulnerabilities.
In addition, tracking end-of-life data for open-source software packages has been extremely decentralized, until now says Frost. From AngularJS to .NET, he reinforces the suggestion that HeroDevs’ never-ending support solutions give businesses the freedom to plan migrations on their terms while staying protected against vulnerabilities and compliance risks.
Collaborative Transparency
Equally upbeat about the new company fusion is ShiHan Wan, cofounder and CEO at Xeol. Wan says that the fact that HeroDevs is making that data freely available says a lot about the company’s commitment to open-source values like collaboration and transparency.
“The kind of insights we can provide through our database could be game-changing for open-source developers and cybersecurity pros alike. End-of-life data can also be incorporated into software composition analysis and vulnerability detection tools,” said Wan.
HeroDevs also recently partnered with application risk platform Mend.io to help companies struggling with open-source end-of-life challenges make remediation immediately available through Mend’s AppSec (application security) platform. While the term deprecated software might be alien to many within the business function (and be a term more associated with disapproving insults), its use within software engineering circles to denote those codebases that have entered obsolescence, obscurity or gained legacy status simply as a result of natural platform evolution is very real.
