beawolf - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Mark Curphey just gave you the tools to make safe apps -- for free?

Is it possible to build software speedily but safely? Startup CEO Mark Curphey thinks so, and he's using big data analytics to make open source code safe for developers everywhere.

This article can also be found in the Premium Editorial Download: Business Information: Effective data visualization crystallizes a company's crystal ball:

Security expert and cryptographer Mark Curphey was just doing his job as head of the information security tools team at Microsoft when he got a firsthand view of open source code and its potential for security breaches. The vast majority of software is developed using at least some open source code, which is widely available and free of charge. Yet there's no way of knowing if the code has a back door that could be infiltrated by the "bad guys," the moniker security people apply to hackers.

The so-called Panama Papers containing millions of files on offshore tax shelters used by the rich were hacked due to a weak spot in a piece of open source code, Curphey said. And it happened because the security industry is still doing what it has always done -- chasing hackers after the fact. "A lightbulb went off for me," he said. "If you look at the security industry, very little has changed over the last 10 years. People are still hacked in very similar ways to how they were hacked before." Tired of hackers always being one step ahead, Curphey realized that the antidote was to start with the building blocks of a developer's code and harness the power of big data analytics and the cloud to determine weak spots.

Cloud-powered big data analytics

Now, as CEO of his startup company, SourceClear, Curphey is bringing big data and eventually security to the people -- sometimes free of charge. If his efforts work -- and a host of big name Silicon Valley venture capitalists are betting heavily on him and his company -- it may very well be the first time software developers can make safe apps just by doing their jobs.

A self-proclaimed data junkie and an avid British cyclist, Curphey took personal interest in Team Sky, Great Britain's professional cycling organization formed after the Lance Armstrong doping scandal. The cycling group was searching for a way to improve performance -- without chemicals -- and turned to big data to track their athletes. "They looked at the power and the force the athletes put out, the calories they took in, just about everything," Curphey explained. "[Their] strategy was all about marginal gains. If [a cyclist] can improve 1% here and there, it's all going to add up." Team Sky's use of big data analytics had helped solidify Curphey's own business plans for his startup company. "That data was the key to their success," he added, "and that was the key to how SourceClear was going to be able to make a difference."

Mark CurpheyMark Curphey

SourceClear uses big data analytics -- powered by the Amazon Web Services cloud -- to analyze millions of lines of source code in an effort to find flaws. Using SourceClear's tool, a software developer today can choose a piece of code and find out immediately if there are any security vulnerabilities and, if so, where the patch is located. This capability not only makes for safe apps, but saves the time-pressured developer valuable minutes or hours each day.

Analyzing big data makes it all possible. "Historically people have done [security] research [on open source code], but they would find things only by stumbling over it and they weren't systematically looking at the entire scope of the code," Curphey said. "We ultimately consider ourselves a data science company, and it is critical to what we do." His 25-person company includes three data scientists and a total of five employees with doctorate degrees all focused on ensuring safe apps. "Modern data science," Curphey noted, "allows us to do what an individual security researcher used to do and now do it at scale."

Mark Curphey

  • Founder and CEO of open source code security firm SourceClear.
  • Formerly principal group program manager at Microsoft, software security and development consultant at Foundstone Professional Services and information security director at Charles Schwab.
  • Earned a master's degree in information security from Royal Holloway, University of London, and bachelor's degree in mechanical engineering from the University of Brighton, U.K.
  • A self-proclaimed data junkie as well as a cycling enthusiast who rides his bike to work across the Golden Gate Bridge.
  • Lives north of San Francisco with his family.

Double-edged sword

Yet, the reality is that all the power Curphey can harness is also available to the bad guys, something he's quick to point out. And that's why SourceClear won't limit itself to just analyzing lines of open source code with an eye toward making apps safer.

Curphey takes the time to reflect on more ways to use big data and other issues while riding his bike to work daily across the Golden Gate Bridge. "When I look at our developers here, they are embracing this modern world, and there are two camps: one that wants to build everything from the ground up and one that wants to build on top of the shoulders of giants," he explained. "If we leverage what we have now, like AI and big data, we can focus on solving new problems versus solving the old ones over and over again." With data science, he added, "we have the intelligence now to make smart decisions in the world."

To prove his point, Curphey need not look any further than the performance of Team Sky member Chris Froome, who recently won the 2016 Tour de France.

Next Steps

How much do you really know about open source development?

Open source software and the threats from abroad

How big data is going to make us all smarter and better developers

This was last published in October 2016

Dig Deeper on Internet Application Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How much time would it save you to know -- in advance -- that your source code was clean?
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close