beawolf - Fotolia
Security expert and cryptographer Mark Curphey was just doing his job as head of the information security tools team at Microsoft when he got a firsthand view of open source code and its potential for security breaches. The vast majority of software is developed using at least some open source code, which is widely available and free of charge. Yet there's no way of knowing if the code has a back door that could be infiltrated by the "bad guys," the moniker security people apply to hackers.
The so-called Panama Papers containing millions of files on offshore tax shelters used by the rich were hacked due to a weak spot in a piece of open source code, Curphey said. And it happened because the security industry is still doing what it has always done -- chasing hackers after the fact. "A lightbulb went off for me," he said. "If you look at the security industry, very little has changed over the last 10 years. People are still hacked in very similar ways to how they were hacked before." Tired of hackers always being one step ahead, Curphey realized that the antidote was to start with the building blocks of a developer's code and harness the power of big data analytics and the cloud to determine weak spots.
Cloud-powered big data analytics
Now, as CEO of his startup company, SourceClear, Curphey is bringing big data and eventually security to the people -- sometimes free of charge. If his efforts work -- and a host of big name Silicon Valley venture capitalists are betting heavily on him and his company -- it may very well be the first time software developers can make safe apps just by doing their jobs.
A self-proclaimed data junkie and an avid British cyclist, Curphey took personal interest in Team Sky, Great Britain's professional cycling organization formed after the Lance Armstrong doping scandal. The cycling group was searching for a way to improve performance -- without chemicals -- and turned to big data to track their athletes. "They looked at the power and the force the athletes put out, the calories they took in, just about everything," Curphey explained. "[Their] strategy was all about marginal gains. If [a cyclist] can improve 1% here and there, it's all going to add up." Team Sky's use of big data analytics had helped solidify Curphey's own business plans for his startup company. "That data was the key to their success," he added, "and that was the key to how SourceClear was going to be able to make a difference."
SourceClear uses big data analytics -- powered by the Amazon Web Services cloud -- to analyze millions of lines of source code in an effort to find flaws. Using SourceClear's tool, a software developer today can choose a piece of code and find out immediately if there are any security vulnerabilities and, if so, where the patch is located. This capability not only makes for safe apps, but saves the time-pressured developer valuable minutes or hours each day.
Analyzing big data makes it all possible. "Historically people have done [security] research [on open source code], but they would find things only by stumbling over it and they weren't systematically looking at the entire scope of the code," Curphey said. "We ultimately consider ourselves a data science company, and it is critical to what we do." His 25-person company includes three data scientists and a total of five employees with doctorate degrees all focused on ensuring safe apps. "Modern data science," Curphey noted, "allows us to do what an individual security researcher used to do and now do it at scale."
- Founder and CEO of open source code security firm SourceClear.
- Formerly principal group program manager at Microsoft, software security and development consultant at Foundstone Professional Services and information security director at Charles Schwab.
- Earned a master's degree in information security from Royal Holloway, University of London, and bachelor's degree in mechanical engineering from the University of Brighton, U.K.
- A self-proclaimed data junkie as well as a cycling enthusiast who rides his bike to work across the Golden Gate Bridge.
- Lives north of San Francisco with his family.
Yet, the reality is that all the power Curphey can harness is also available to the bad guys, something he's quick to point out. And that's why SourceClear won't limit itself to just analyzing lines of open source code with an eye toward making apps safer.
Curphey takes the time to reflect on more ways to use big data and other issues while riding his bike to work daily across the Golden Gate Bridge. "When I look at our developers here, they are embracing this modern world, and there are two camps: one that wants to build everything from the ground up and one that wants to build on top of the shoulders of giants," he explained. "If we leverage what we have now, like AI and big data, we can focus on solving new problems versus solving the old ones over and over again." With data science, he added, "we have the intelligence now to make smart decisions in the world."
To prove his point, Curphey need not look any further than the performance of Team Sky member Chris Froome, who recently won the 2016 Tour de France.
How much do you really know about open source development?
Open source software and the threats from abroad
How big data is going to make us all smarter and better developers
Dig Deeper on Topics Archive
Enterprise devs win with Veracode's SaaS security spinout
Failure to secure open source code spurs DevSecOps boom
What the OWASP IoT security project means for device creation
SourceClear on DevOps: forget tools that generate more noise than signal