DevOps firm SourceClear wants to give DevOps engineers (now that we all agree that this is a real job title) more tools to help find vulnerabilities in open-source code.
The firm’s eponymously named SourceClear Open is intended to help detect emerging security threats above and beyond the level of known threats that have been classified in databases held by both public malware detection vendors and government databases.
SourceClear Open is based on a foundation drawn out of SourceClear’s commercial products – it is delivered as a cloud-based service.
“Developers are being held more accountable for security and demanding tools that help them with that responsibility,” according to SourceClear. “But traditional security products are insufficient, and the recent closure of the Open Source Vulnerability Database (OSVDB) and the well-documented struggles of the CVE and its naming process have underscored the limitations of public and government-backed software vulnerability databases.”
According to the firm’s about pages, “[Users can] use our Command Line Interface to scan quickly or automate your scans using our plugins for Maven, Gradle, Jenkins, Travis CI and our source code management agent. Your source code never leaves your network and your results are always encrypted when being transmitted and stored.”
Generating more noise than signal
CEO of SourceClear Mark Curphey says that his team designed the product as delivered because developers always want to do the right thing, but have been faced with tools that generate more noise than signal.
Curphey claims that the technology can track thousands of threat sources and analyse millions of open-source library releases.
What’s inside the box?
SourceClear includes ‘Registry’ a free database of security knowledge in the world’s open-source libraries and frameworks, including a complete list of all publicly disclosed vulnerabilities.
In addition to the Open edition, both Pro (additional premium features and support) and Enterprise (extended features for complex requirements) editions are available.