momius - Fotolia

SourceClear offers free security tool for open source code projects

It's a scary world out there, but developers are in a rush to release. SourceClear Open gives developers the tools to make open source code projects more secure for free.

What if it was easy to make an app more secure? And even better, what if it was free?

Startup SourceClear has introduced a tool -- SourceClear Open -- that will let developers check open source code projects against a database that can immediately tell them if there are security vulnerabilities and steer them to patches. And the basic tool is free.

CEO and founder Mark Curphey spent more than 15 years in security, much of the time incredibly frustrated by how hard it was to bring developers and security people together. "Security was always just getting in the way of development," he said. "A developer's primary goal is to ship features. I wanted to find a way to make it easy for everyone to do the right thing."

Easy is not how anyone today would describe the place where security and development meet. Code is being released more quickly and more often, as threats to security are rising exponentially. "Security threats are going up faster than we see the skill sets available to respond to them," said Kurt Bittner, principal analyst for application development and delivery at Forrester Research. "It's a serious problem."

Curphey agreed. "Security has just been way too hard," he said. "We don't want developers to feel they're beaten with a stick or forced in to it."

SourceClear starts with the premise that up to 90% of developers use some open source code, and while that's a great choice for speed and ease, it's also a great choice for hackers, Curphey explained. "The bad guys find the backdoors in that code and install malicious code, and suddenly, that's right in the heart of your software." But open source code projects are very popular: A report released last month recommended U.S. government agencies use even more open source code going forward to save time and money. It makes sense, but it's risky, Curphey said, explaining that the so-called Panama Papers were hacked through a backdoor found in an unpatched segment of open source code.

What Curphey thought was needed was a way to know exactly what source code was being used, what potential issues might be hiding in it and then guidance about how to solve any problems with the source code projects. Through an intensive amount of big data analytics on the back end, SourceClear has analyzed millions of source code library releases and has created a registry of known security risks. Developers can access the cloud-based SourceClear Open from a desktop or any other device. And it will work with popular tools and environments, including GitHub, Bitbucket and Jenkins, as well as Jira and with languages, including Java, Ruby, Python and Javascript. Paid versions of SourceClear -- Pro and Enterprise -- offer extra features, support and scalability.

"For the first time, developers are getting a complete tool for free that installs quickly and rapidly connects to the tools and processes that will allow this change to take place," Curphey said. "This gives developers a larger portion of the security responsibility, one they already had indirectly, but without the tools to deal with it. We're directly enabling them by giving them tools and not slowing them down."

Next Steps

Mistakes you're making when integrating security in to Agile development

Want more secure software? Use your imagination

For better security, take your app's temperature

Dig Deeper on Topics Archive