As software becomes a bigger component of the value delivered by companies in every industry, it’s no exaggeration to say that every company is becoming a software company. We find our customers pushing the envelope on how to tool up their internal software factory to make software better, faster and more efficiently.
Those goals are also driving increased use of open source libraries. This saves developers’ time, shortens time to market, and reduces the inefficiency that comes from rewriting code for functionality that somebody else has already built. But as we’ve seen with recent breaches, open source libraries come with a set of risks. When we examined the security of open source software components as a part of our analysis of Java applications, 88% had at least one component-based vulnerability. In 2017, a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars.
To address this issue of open source risk we are excited to announce our acquisition of SourceClear, a technological leader with groundbreaking innovations in software composition analysis (SCA) and founded by Mark Curphey, the creator of OWASP. SourceClear offers a SaaS-based software composition analysis tool, which relies on a proprietary vulnerability database that goes significantly beyond the NVD and a unique vulnerable methods technology that increase the actionability of SCA results.
With the acquisition of SourceClear, we’re taking a great step forward in bringing that same combination of security, productivity and efficiency to the way developers use and test open source libraries, so that our customers can use open source libraries to accelerate software development without adding unmanaged risk.
SourceClear's SCA solution not only tells you which applications have a vulnerable component, it tells you whether or not the functionality is being used - something no other SCA solution can offer. This greatly reduces the false positives related to functions that exist in the open source library but pose no practical risk because they are not used by the application. It also allows developers to prioritize which components to fix, saving time while reducing risk.
In some cases the vulnerabilities causing breaches are well known and documented. But in other cases, they are not included in the National Vulnerability Database. And with the number of open source libraries only growing it can be difficult for companies to keep track of which component and which version are secure. SourceClear did the math and estimates the creation of new libraries continues at the same rate, there will be almost half a billion open-source libraries available to developers within a decade. SourceClear addresses this challenge too. In addition to tracking public sources like CVEs, SourceClear constantly data-mines millions of commits in open-source libraries, watches thousands of bug-trackers and parses the change-logs of popular libraries. As a result, customers can even find vulnerabilities that have not been reported to NVD. Each issue includes prescriptive fix information, much of which can be automated to increase speed.
We plan to fully integrate the SourceClear technology into the Veracode cloud platform. We are excited about what this acquisition means for our customers in terms of increased support for SCA in DevSecOps environments and the ability to confidently use open source components without introducing unnecessary risk. If you’re interesting in trying SourceClear for yourself, check out the free trial here or contact your sales or services representative.