GitLab Acquires Oxeye to Strengthen SAST in DevSecOps Workflow

The San Francisco-based DevSecOps powerhouse praised Tel Aviv, Israel-based Oxeye for its unique approach to identifying and addressing application-layer risks and said its technology will enable static application security testing throughout the software development lifecycle. GitLab launched its own SAST in 2017 and said Oxeye’s capabilities will improve detection and simplify vulnerability management.

“Oxeye’s technology will improve GitLab’s ability to detect software vulnerabilities through SAST,” Director of Product Management Sarah Waldner said in an email to Information Security Media Group. “We are very pleased to have been able to build a constructive relationship with Oxeye and can now bring our teams and products together.”

How GitLab plans to integrate Oxeye

Terms of the acquisition were not disclosed, although Calcalist reported that GitLab paid between $30 million and $40 million for Oxeye. The company came out of private in November 2021 with $5.3 million in seed funding from MoreVC. Oxeye today employs 30 people and has been led from the start by Dean Agron, who spent six years as a sales engineer at Imperva and three years doing research and development for Check Point.

Waldner said Oxeye’s ability to track vulnerabilities from code to the cloud sets it apart from the competition and gives development and security teams a powerful way to quickly identify and address the most exploitable risks. GitLab regularly surveys the market for innovative technologies that align with the company’s vision and customer needs, according to Waldner.

Now that the acquisition is complete, Waldner said work on integrating Oxeye into GitLab’s SAST product will begin immediately. Within a year, Waldner expects Oxeye’s capabilities to enhance GitLab’s SAST scanning for Python, Go, Java, and JavaScript, setting milestones for iterative improvements along the way.

“Integrating Oxeye’s capabilities into GitLab will enhance this critical area of ​​the product to meet the security needs of our customers,” said Waldner. “Within the next year, we expect to make the improved SAST scan generally available for four languages.”

How GitLab users will benefit from the acquisition

The purchase of Oxeye will allow GitLab to perform a new type of programmatic analysis in its engine that performs interprocedural checks between functions and files, according to Waldner. The new capability will result in a much more accurate and actionable list of security findings, she said.

Existing users of GitLab and Oxeye will benefit from a more accurate and actionable list of security findings, as well as fewer false positives and more true positive detections, Waldner said. The combined company will focus on advancing its security and compliance capabilities, strengthening GitLab’s position in the application security testing market, and helping customers build secure software more efficiently.

“The acquisition of Oxeye demonstrates our commitment to ensuring that our application security testing features can help even more users build more secure software faster,” Waldner said.

Oxeye will complement GitLab’s existing capabilities around dynamic application security testing, fuzz testing, container scanning and dependency scanning, all aimed at helping customers deliver secure applications. GitLab’s DevSecOps platform aims to help customers find and fix security vulnerabilities in their software faster or completely eliminate inefficiencies in the software development process.

GitLab was recognized as a competitor in last year’s Forrester Wave static application security testing and as a challenger in last year’s Forrester Wave software composition analysis and last year’s Gartner Magic Quadrant application security testing.