Companies of all sizes in every industry have come to rely upon open source code—even commercial software is built typically on blocks of it. While it saves software developers time, open source code can contain vulnerabilities or proprietary software code, posing potential cybersecurity or legal liabilities for a business.
This trend is what drove source code management company Assembla to acquire MyGet for an undisclosed amount, announced in a company blog post Friday. Founded in 2006 and acquired in 2016 by Scaleworks, a San Antonio venture equity firm, Assembla is the world’s only provider of enterprise cloud version control for software code.
Code repositories use version control to manage files and code updates. Assembla’s cloud-based platform tracks version control for software development teams, so files and code do not change haphazardly from computer to computer. Acquiring MyGet’s secure universal code package manager allows Assembla to integrate this essential early step in software development—pulling and scanning open source code from repositories—into its enterprise cloud platform.
MyGet’s centralized package management platform gives software developer teams the ability to pull software coding packages from an open source repository into a centralized virtual ‘sandbox’ where they can govern and audit the open source packages throughout the software development’s lifecycle while scanning for vulnerabilities. Founded in 2011, the Belgium-based MyGet has over 40,000 software developer users from global enterprises such as Johnson Controls, Microsoft, and BMW. Assembla plans to leave the MyGet teams in Belgium, as they have already been integrated into Assembla’s cloud-based platform, according to Assembla CEO Paul Lynch.
“One of the primary reasons we decided to go with Assembla is because of their security-first mindset,” MyGet co-founders Xavier Decoster and Maarten Balliauw wrote in their announcement Friday. “With a source code management tool built for the enterprise and a focus on shifting security to the left, we know that our customers will be in good hands.”
New vulnerabilities are constantly found in open source code. A U.S. Department of Homeland Security report estimates 90 percent of security incidents result from exploits against defects in software. The latest Black Duck report found open source code in 96 percent of commercial software applications. The average application has 147 different open source components, with 67 percent of the applications using components with known cyber vulnerabilities.
“MyGet sits between the developer and the open source repository so the team can ensure there is no proprietary code, Trojans, or other latent vulnerabilities,” Assembla chief executive officer Paul Lynch said. “If you don’t have a stringent and comprehensive security policy around your source code you don’t have a security policy.”
While firewalls provide an end-point solution, managing and scanning open code packages before a software developer team uses them can prevent the introduction of potential vulnerabilities into a code base, Assembla chief technology officer Jacek Materna said. Those vulnerabilities can increase the likelihood of a data breach.
Hackers exploited this type of vulnerability in their 2016 penetration of Uber’s source code repository on GitHub, an open source code repository. They were able to access Uber’s intellectual property and personal data of about 7 million Uber drivers and 50 million customers.
“While we’re not a security company, we’re bringing security into the mix to make it easy for those using software dev tools,” Materna said. “We want to make developers aware that this is an issue and empower them in their tradecraft with safer software package management tools.”
Assembla has set itself apart as the only provider of cloud-based version control for large companies with high levels of both security and compliance. The company is the only code version control platform that complies with data privacy requirements outlined in the European Union’s General Data Protection Regulation (GDPR), Privacy Shield, and SOC 2, Lynch said.
“There may be businesses doing security and ones doing version control, but not a lot are doing software version control in the cloud with strong security compliance like we are,” Lynch said. “We now have a European cloud located in Frankfurt, Germany built out with same features as in our data centers here [in the U.S.], so EU clients can keep their data within the EU.”
Assembla provides version control for three main code repositories commonly held in the industry: Git (a version control system used for software development), Apache Subversion or SVN (a software versioning and revision control system), and Perforce (a commercial, proprietary revision control system).
Open source code repository GitHub dominates the cloud-based code hosting space, but it is built solely on its version-control system, Git. Competing technologies like SVN and Mercurial are emerging, especially in the enterprise. Assembla acquired Cornerstone, one of the most popular SVN clients in January.
“We are investing to become an industry leader,” Lynch said. “Open source is big business, and source code management is suddenly at the enterprise level now. You can’t get more enterprise than Microsoft, now that they’ve acquired GitHub.”
Assembla has over 5,500 companies as clients from Fortune 500 companies to smaller shops in over 150 countries, Lynch said. The company has grown about 55 percent year-over-year for the past two and half years since joining Scaleworks and employs about 50 people (approximately 30 at its San Antonio headquarters and 20 in Poland). Lynch said Assembla is looking to hire more customer support, sales, and marketing for the downtown San Antonio location.
Lynch is focused on more growth for Assembla. The MyGet acquisition positions Assembla to compete in the enterprise Git and version control space with its integrated code package management.
“Our services appeal to devs working on more complex code like AR/VR, rich content, filming, movie studios, video gaming studios, machine learning—software development that requires large complex code databases,” Lynch said. “As the software developer market has emerged, it’s created an opportunity for the enterprise management of software source code. Our goal is to be No. 1 in that space.”