Open Source Insider

May 12 2016   3:06PM GMT

SourceClear on DevOps: forget tools that generate more noise than signal

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Tags:
huvyuyg

Command Line Interface loveliness

DevOps firm SourceClear wants to give DevOps engineers (now that we all agree that this is a real job title) more tools to help find vulnerabilities in open-source code.

The firm’s eponymously named SourceClear Open is intended to help detect emerging security threats above and beyond the level of known threats that have been classified in databases held by both public malware detection vendors and government databases.

SourceClear Open is based on a foundation drawn out of SourceClear’s commercial products – it is delivered as a cloud-based service.

“Developers are being held more accountable for security and demanding tools that help them with that responsibility,” according to SourceClear. “But traditional security products are insufficient, and the recent closure of the Open Source Vulnerability Database (OSVDB) and the well-documented struggles of the CVE and its naming process have underscored the limitations of public and government-backed software vulnerability databases.”

According to the firm’s about pages, “[Users can] use our Command Line Interface to scan quickly or automate your scans using our plugins for Maven, Gradle, Jenkins, Travis CI and our source code management agent. Your source code never leaves your network and your results are always encrypted when being transmitted and stored.”

Generating more noise than signal

CEO of SourceClear Mark Curphey says that his team designed the product as delivered because developers always want to do the right thing, but have been faced with tools that generate more noise than signal.

Curphey claims that the technology can track thousands of threat sources and analyse millions of open-source library releases.

What’s inside the box?

SourceClear includes ‘Registrya free database of security knowledge in the world’s open-source libraries and frameworks, including a complete list of all publicly disclosed vulnerabilities.

In addition to the Open edition, both Pro (additional premium features and support) and Enterprise (extended features for complex requirements) editions are available.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: