GitLab Acquires Oxeye to Bolster SAST in DevSecOps Workflow

GitLab has bought a static application security testing startup led by an Imperva and Check Point veteran to improve application-layer risk detection and reduce false positives.

See Also: OnDemand | The Evolution from DAST to IAST: Take AppSec Testing to the Next Level

The San Francisco-based DevSecOps powerhouse praised Tel Aviv, Israel-based Oxeye for its distinctive approach to identifying and resolving application-layer risks and said its technology will allow for static application security testing across the software development life cycle. GitLab launched its own SAST in 2017 and said Oxeye’s capabilities will improve detection and streamline vulnerability management.

“Oxeye’s technology will improve GitLab’s ability to detect software weaknesses via SAST,” Director of Product Management Sarah Waldner told Information Security Media Group in an email. “We’re very pleased that we were able to build a constructive relationship with Oxeye and now can bring our teams and products together.”

How GitLab Plans to Integrate Oxeye

Terms of the acquisition weren’t disclosed, though Calcalist reported that GitLab paid between $30 million and $40 million for Oxeye. The company emerged from stealth in November 2021 with $5.3 million in seed funding from MoreVC. Oxeye today employs 30 people and has been led since its inception by Dean Agron, who spent six years as an Imperva sales engineer and three years doing R&D for Check Point.

Waldner said Oxeye’s ability to trace vulnerabilities from code to cloud sets it apart from competitors and gives developer and security teams a powerful way to quickly identity and address the most exploitable risks. GitLab regularly surveys the market for innovative technologies that align with the company’s vision and customer needs, according to Waldner.

Now that the acquisition has closed, Waldner said the work of integrating Oxeye into GitLab’s SAST product will begin immediately. Within a year, Waldner expects Oxeye’s capabilities will boost GitLab’s SAST scanning for Python, Go, Java and JavaScript, and set milestones for iterative improvement along the way.

“Integrating Oxeye’s capabilities into GitLab will enhance this mission-critical product area to help meet our customers’ security needs,” Waldner said. “Within the next year, we expect to make improved SAST scanning generally available for four languages.”

How GitLab Customers Will Benefit From the Acquisition

Acquiring Oxeye will enable GitLab to conduct a new type of program analysis in its engine that performs interprocedural checks between functions and across files, according to Waldner. The new capability will result in a much more accurate and actionable list of security findings, she said.

Existing customers of GitLab and Oxeye will benefit from a more accurate and actionable list of security findings as well as fewer false positives and more true positive detections, Waldner said. The combined company will focus on advancing its security and compliance capabilities, reinforcing GitLab’s position in the application security testing market and helping customers build secure software more efficiently.

“The acquisition of Oxeye demonstrates our commitment to ensuring our application security testing features can help even more customers build more secure software faster,” Waldner said.

Oxeye will complement GitLab’s existing capabilities around dynamic application security testing, fuzz testing, container scanning and dependency scanning, all of which aim to help users deliver secure apps. GitLab’s DevSecOps platform aims to help customers find and correct security vulnerabilities in their software sooner or eliminate inefficiencies in the software development process altogether.

GitLab was recognized as a contender in last year’s static application security testing Forrester Wave and as a challenger in last year’s software composition analysis Forrester Wave and last year’s application security testing Gartner Magic Quadrant.