UPDATED 15:05 EDT / AUGUST 03 2021

SECURITY

Sophos acquires Refactr to automate code security in the enterprise

Cybersecurity provider Sophos Group PLC has acquired Refactr Inc., a Seattle-based startup with a platform that helps enterprise software teams find and fix vulnerabilities in their code. 

The financial terms of the deal were not disclosed. The acquisition comes about two weeks after Sophos bought another startup, Braintrace Inc., whose software can scan the packets traveling through a company’s network to find malicious data traffic.

Refactr focuses on a different part of the cybersecurity market known as the DevSecOps segment. DevSecOps is the umbrella term for a broad collection of products designed to help developers write more secure code and thus lower the risk of cyberattacks.

The process of developing software has two main steps: producing code and deploying it. The deployment phase is typically handled automatically by a set of software tools collectively known as the CI/CD pipeline. The CI/CI pipeline checks developers’ code for bugs, configures the infrastructure on which the code will run and performs the other logistical tasks involved in deploying a new piece of software. Little, if any, manual input is required by developers.

The CI/CD pipeline is also an important component of enterprises’ cybersecurity strategy. It scans every new piece of software a company creates for  vulnerabilities and automatically prevent the file from being deployed to production if a security issue is found. Moreover, the CI/CD pipeline often performs a range of other cybersecurity tasks as well, such as configuring firewall settings.

The challenge Refactr addresses is that setting up a CI/CD pipeline to detect and mitigate potential threats is often quite difficult. One of the main obstacles is that breach prevention is the responsibility of a company’s cybersecurity group, but the CI/CD pipeline itself is usually the responsibility of developers. The two teams often struggle to coordinate their activities because of various operational factors, such as the fact that they generally use different sets of tools to perform their day-to-day work.

Refactr has developed a platform for enabling cybersecurity teams and developers to collaborate on creating CI/CD pipelines. A CI/CD pipeline is at, its core, a series of actions that are performed automatically on a piece of code. Refactr allows cybersecurity teams to define the breach prevention actions that should be performed through a relatively simple  drag and drop interface. After creating a CI/CDI pipeline this way, they can transfer it to developers, who may customize the workflow as needed for their requirements.

Sophos said that Refactr’s technology will enhance its security orchestration, automation and response, or SOAR, capabilities.

“As we’ve seen in recent supply-chain incidents, attackers are increasingly targeting software development pipelines, and defenders need the ability to shift further left of attackers,” said Sophos chief technology officer Joe Levy. Shifting left is the industry term for fixing code vulnerabilities before rather than after they’re released to production. “The industry needs SOAR to mature into more capable and generalizable DevSecOps solutions, and Sophos’ acquisition of Refactr will help us lead the way.”

Refactr’s engineering team will join Sophos to support product development efforts as part of the deal.

Acquiring Refactr will enable Sophos to more directly address the large and growing market for tools that can help enterprise developers write more secure code. One indicator of this market’s growth is the significant amount of funding that has been raised by code security startups in recent quarters. Snyk Ltd., one of the segment’s most prominent players, raised $200 million last September and closed another $300 million round less than six months later, nearly doubling its valuation in the process.

Photo: Sophos

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.