SourceClear offers a free security tool for open source code projects


What if it was easy to secure an app? And even better, what if it was free?

Startup SourceClear has introduced a tool – SourceClear Open – that will allow developers to check open source code projects against a database that can immediately tell them if there are security vulnerabilities and point them to fixes. And the basic tool is free.

CEO and Founder Mark Curphey has spent over 15 years in security, most of the time incredibly frustrated with the difficulty of bringing developers and security people together. “Security has always been an obstacle to development,” he said. “The main goal of a developer is to provide functionality. I wanted to find a way to allow everyone to do the right thing. “

Easy This is not how anyone today would describe the place where security and development meet. Code is released faster and more often as security threats increase exponentially. “Security threats are growing faster than we see the skills available to respond to them,” said Kurt Bittner, senior analyst for application development and delivery at Forrester Research. “It’s a serious problem.”

Curphey agreed. “Security has been way too difficult,” he said. “We don’t want developers to feel beaten with a stick or forced to do so.”

SourceClear assumes that up to 90% of developers use open source code, and while it’s a great choice for speed and ease, it’s also a great choice for hackers, Curphey explained. “The bad guys find backdoors in this code and install malicious code, and all of a sudden, it’s right in the heart of your software.” But open source code projects are very popular: A report released last month recommended that U.S. government agencies use even more open source code in the future to save time and money. It makes sense, but it is risky, Curphey said, explaining that the so-called Panama Papers were hacked via a backdoor found in an uncorrected segment of open source code.

What Curphey thought was needed was a way to find out exactly what source code was being used, what potential issues might be hiding there, and then advice on how to troubleshoot issues with source code projects. Through an intensive amount of big data analysis on the back end, SourceClear has analyzed millions of versions of source code libraries and created a registry of known security risks. Developers can access cloud-based SourceClear Open from a desktop or other device. And it will work with popular tools and environments including GitHub, Bitbucket, and Jenkins, as well as Jira, and with languages ​​like Java, Ruby, Python, and Javascript. The paid versions of SourceClear – Pro and Enterprise – offer additional functionality, support, and scalability.

“For the first time, developers are getting a free comprehensive tool that sets up quickly and quickly connects to the tools and processes that will allow this change to take place,” said Curphey. “This gives developers more of the responsibility for security, a responsibility they already had indirectly, but without the tools to deal with it. We empower them directly by giving them tools and not slowing them down. “


Comments are closed.