What if it was easy to make an app more secure? And even better, what if it was free?
Startup SourceClear has introduced a tool -- SourceClear Open -- that will let developers check open source code projects against a database that can immediately tell them if there are security vulnerabilities and steer them to patches. And the basic tool is free.
CEO and founder Mark Curphey spent more than 15 years in security, much of the time incredibly frustrated by how hard it was to bring developers and security people together. "Security was always just getting in the way of development," he said. "A developer's primary goal is to ship features. I wanted to find a way to make it easy for everyone to do the right thing."
Easy is not how anyone today would describe the place where security and development meet. Code is being released more quickly and more often, as threats to security are rising exponentially. "Security threats are going up faster than we see the skill sets available to respond to them," said Kurt Bittner, principal analyst for application development and delivery at Forrester Research. "It's a serious problem."
Curphey agreed. "Security has just been way too hard," he said. "We don't want developers to feel they're beaten with a stick or forced in to it."
SourceClear starts with the premise that up to 90% of developers use some open source code, and while that's a great choice for speed and ease, it's also a great choice for hackers, Curphey explained. "The bad guys find the backdoors in that code and install malicious code, and suddenly, that's right in the heart of your software." But open source code projects are very popular: A report released last month recommended U.S. government agencies use even more open source code going forward to save time and money. It makes sense, but it's risky, Curphey said, explaining that the so-called Panama Papers were hacked through a backdoor found in an unpatched segment of open source code.
"For the first time, developers are getting a complete tool for free that installs quickly and rapidly connects to the tools and processes that will allow this change to take place," Curphey said. "This gives developers a larger portion of the security responsibility, one they already had indirectly, but without the tools to deal with it. We're directly enabling them by giving them tools and not slowing them down."
Mistakes you're making when integrating security in to Agile development
Want more secure software? Use your imagination
For better security, take your app's temperature