Aqua Security acquires Argon to protect the software supply chain

Cloud-native application protection firm Aqua Security announced today it has acquired Argon, a startup with capabilities for securing the software supply chain, amid a growing push to ensure application security from the get-go as part of the development process.

Cofounder and CEO Dror Davidoff said in an email to VentureBeat that combining Aqua Security with Argon creates “the industry’s first and only solution to secure all stages of software build and release.”

Ramat Gan, Israel-based Aqua Security did not disclose the terms of the acquisition, though Davidoff said the acquisition price is in the tens of millions of dollars. Founded in 2020, Tel Aviv, Israel-based Argon had raised $4 million in funding and will bring 30 employees and several dozen customers, in addition to its technology for app development security.

Supply chain insecurity

According to a recent study by Sonatype, software supply chain attacks have soared by 650% since mid-2020, due in large part to infiltration of open source software.

Meanwhile, high-profile attacks such as the SolarWinds breach have made the software supply chain issue impossible to ignore. Discovered roughly a year ago, the attack involved malicious code that was inserted into the widely used SolarWinds Orion network monitoring software, then unknowingly distributed to customers including numerous federal agencies.

Other recent software supply chain incidents have included a breach that affected developer tool Codecov, discovered in April.

Increasing pressures on developers appear to be worsening the problem. A recent survey by Invicti Security found that 70% of development teams always or frequently skip security steps due to time pressures when completing projects.

Evaluating code

Argon enables users to evaluate existing code repositories and infrastructure, scanning both code and artifacts, “to ensure immutability of code from creation through to runtime,” Davidoff said.

Argon’s technology can discover and map continuous integration (CI) and continuous delivery (CD) pipelines, use a zero-trust approach to securing the DevOps toolchain itself, and validate the integrity of code and artifacts at every stage—ultimately “preventing the next SolarWinds or CodeCov attacks,” he said.

To date, Aqua has enabled customers to protect their cloud-native application builds starting from the container image or function build stage, and does so for the application artifacts—but not for the CI/CD toolchain itself, Davidoff said.

“Argon now allows our customers to both further ‘shift left’ and start ensuring code integrity earlier in the supply chain, as well as ensuring that the DevOps tools themselves are properly configured and not susceptible to unwanted integrations, webhooks, and triggers,” he said.

The injection of malicious code into the pipeline, a la SolarWinds, is “precisely the type of attack that Argon protects against,” Davidoff said. “Argon would have identified weak configuration, permissions issues, and non-approved plugins, and detected the malicious code before it was distributed.”

Expanded opportunity

Software supply chain protection is an early-stage market, but Aqua expects this segment of the market to grow “massively” over the next few years, Davidoff said.

With the addition of Argon’s technology, Aqua sees an opportunity both to expand its customer base and to grow with existing customers, he said.

Initial integrations of the technology will be available in the first quarter of 2022, and Aqua expects a full integration before the end of 2022, according to Davidoff.

In terms of headcount, Aqua Security now employs 500 with the addition of the Argon team, he said.

Argon’s executives will join Aqua’s R&D and product teams, with their exact titles still to be determined, Davidoff said. The startup’s founders are Eilon Elhadad and Eylam Milner, who formerly led security and engineering teams within the Israeli military.

Securing app development

Aqua Security describes its offering, the Aqua Platform, as a complete cloud-native application protection platform, or CNAPP. The vendor has seen “high double-digit” revenue and customer growth for its CNAPP so far this year, said Rani Osnat, senior vice president of strategy at the company, in a recent interview with VentureBeat. Aqua reports having a customer base of 500 enterprises.

The company has offered capabilities for scanning applications during development, including infrastructure as code (IaC) security scanning, since its launch in 2015.

In terms of workload protection, Aqua focused on containers at the beginning and added serverless and virtual machines in 2017 to give it full cloud workload protection capabilities.

Previous acquisitions by Aqua Security included CloudSploit in 2019, which added capabilities to its platform for spotting misconfigurations in cloud infrastructure, also known as cloud security posture management. In July, Aqua Security acquired open source IaC security scanner tfsec.

Recent enhancements to Aqua’s CNAPP offering have included the addition of cloud-native detection and response, which provides monitoring and detection to identify zero-day attacks in cloud-native environments.

In March, Aqua Security raised $135 million in series E funding, led by ION Crossover Partners, at a $1 billion valuation.