If your organization develops software, you’re probably using a lot of open-source code — whether you know it or not.

Fossa Inc. is betting its business – and $35 million of its investors’ money — on the belief that organizations need to know a lot more about what’s in the software they build.

The company makes an open-source management platform that analyzes the code in and organization’s source code libraries  and compares it against a knowledge base to identify the presence of open source components. Today it announced it has raised $23.2 million in a Series B funding and also debuted a new security management toolkit that looks for known vulnerabilities in open-source code to alert organizations to risks.

Gartner last year estimated that 90% of the code in 90% of software in development is subject to open-source licensing, a fact that can create a host of legal and security issues. For one thing, there are dozens of such licenses and keeping up with the provisions of each is a daunting task to accomplish manually. Vulnerabilities in open-source programs may also inadvertently be passed on in code fragments embedded elsewhere, even after patches have been issued.

Many organizations have strict policies regarding use of open-source code, but they also have an enforcement problem because of the lack of a control plane, said Fossa Chief Executive Kevin Wang.

“There’s typically some sort of lightweight or manual solution in place that covers 5% to 10% of the code they own,” he said. “We’re trying to get them to 90% to 95%.”

Complying with all the potential licenses covering a large enterprise application can become a logistical headache and a legal migraine. For example, so-called “copyleft” licenses give people the right to freely distribute and modify code provided that they release the derivative code under the same terms

“Businesses are very sensitive to violating these agreements,” Wang said. When customers first deploy Fossa’s service, the biggest surprises, he said, are “usually just the scale of how much open-source software they utilize.”

Fossa’s product, which is delivered both in on-premises and cloud versions, integrates with a company’s development environment and scans the base of code in process. “We build a picture of the entire supply chain of open source,” Wang said. Its scanning tool is available under an open-source license, but the knowledge base is proprietary.

The company says it has conducted more than 90 million open-source scans. “There’s a huge supply chain of code that people don’t control anymore,” Wang said. “If I’m developing a piece of software, almost every line may be developed by someone else but I’m still accountable for it.” The number of indirect contributors to large software applications can run to the hundreds of thousands, he said.

Fossa’s new security management toolkit matches open-source code to known vulnerabilities and notifies developers if holes exist or patches are needed. “Most of the time companies aren’t seeing security vulnerabilities because they can’t see at scale what code they’re using,” Wang said.

Founded in 2015, Fossa originally targeted technology suppliers and software companies but discovered that rampant use of licensed software is “a problem for every enterprise,” he said. In addition to mainstream business applications, vulnerabilities exist in embedded software that runs in cars, planes and medical devices. “Today’s highest-value workloads are basically uncovered,” he said.

The new funding puts the company’s value at greater than $100 million. The round was led by from Bain Capital Ventures LP, Canvas Management Co. LLC and Costanoa Venture Capital Partners LLC.

Photo: Flickr CC