SourceClear

Last updated
SourceClear (now Veracode)
Founded2013
FounderMark Curphey
Headquarters
San Francisco, California
,
U.S.A.
Key people
Mark Curphey (CEO)

Paul Ambrosini (Co-Founder) Jason Nichols (Co-Founder)

Asankhaya Sharma

Contents

(Head of R&D)
Products Application Security Tools
Website www.veracode.com

SourceClear or SRC:CLR (later part of Veracode) was an American software company with its namesake security tool for software developers. SourceClear focused on open-source software development, plugging into developers' existing workflows and examining security risks of open-source and third-party code in real time. The company was headquartered in San Francisco, California with an office in Singapore. It had customers in the technology, social media, retail, finance, and defense industries. In October 2015, it announced a $10 million Series A round of funding. In 2018 it was acquired by CA Technologies; after which it was folded into Veracode.

History

SourceClear was founded in Seattle in 2013 by Mark Curphey, the original founder of OWASP, who served as the company's CEO, and who described SourceClear as "the only company on the planet 100% dedicated to building security tools for software developers." [1]

In June 2014, SourceClear raised a $1.5 million seed round from a group of investors, including the former CSOs at Yahoo!, Verisign and Symantec and from Frank Marshall, the first VP of engineering at Cisco Systems. [2] It raised an additional $10 million in October 2015 from Index Ventures and Storm Ventures in its Series A round of funding, with the intention of expanding its executive, engineering and research team. [3] [4]

SourceClear again made headlines in November 2015, when it identified a flaw in Spring Social, a popular Java application library. The flaw had allowed hackers to impersonate users on social media. SourceClear privately disclosed the flaw to Pivotal Software, which then patched the library. [5] Later that month, SourceClear also demonstrated a Denial-of-service attack based on the Amazon AWS SDK for Java. [6]

SourceClear was purchased by CA Technologies and became a part of Veracode in 2018. [7] The srcclr CLI tool became a part of Veracode's integrated product suite.

Software

The focus of SourceClear was open-source software development. Since developers are increasingly consuming and extending free open-source and third-party components and libraries, their products can become vulnerable to hacking. SourceClear's tools helped developers by telling them what open-source they are using, who created it, what it is doing (or could do) in their applications and which components have vulnerabilities. They became a part of the developers' workflow and examined security risks of open-source code in real time. Their analytics and machine-learning tools analyzed open-source components and report on their origin, creation, and impact on applications. They informed developers which vulnerabilities could be exploited by hackers and how to prevent them. The service also allowed users to scan their GitHub repositories and run in their continuous integration systems. [2] [3] [8]

SourceClear supported Java, JavaScript, Ruby on Rails, Node.js, and Python. [9] with previously announced plans to support Scala and C/C++. [10] [8]

Related Research Articles

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

<span class="mw-page-title-main">Alfresco Software</span> Information management software

Alfresco Software is a collection of information management software products for Microsoft Windows and Unix-like operating systems developed by Alfresco Software Inc. using Java technology. The software, branded as a Digital Business Platform is principally a proprietary & a commercially licensed open source platform, supports open standards, and provides enterprise scale. There are also open source Community Editions available licensed under LGPLv3.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Nuxeo is a software company making an open source content management system.

<span class="mw-page-title-main">Wix.com</span> Israeli software company

Wix.com Ltd. is an Israeli software company, publicly listed in the US, that provides cloud-based web development services. It offers tools for creating HTML5 websites and mobile sites using online drag-and-drop editing. Along with its headquarters and other offices in Israel, Wix also has offices in Brazil, Canada, Germany, India, Ireland, Japan, Lithuania, Poland, the Netherlands, the United States, Ukraine, and Singapore.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

<span class="mw-page-title-main">Android software development</span> Process of writing software for Android operating system

Android software development is the process by which applications are created for devices running the Android operating system. Google states that "Android apps can be written using Kotlin, Java, and C++ languages" using the Android software development kit (SDK), while using other languages is also possible. All non-Java virtual machine (JVM) languages, such as Go, JavaScript, C, C++ or assembly, need the help of JVM language code, that may be supplied by tools, likely with restricted API support. Some programming languages and tools allow cross-platform app support. Third party tools, development environments, and language support have also continued to evolve and expand since the initial SDK was released in 2008. The official Android app distribution mechanism to end users is Google Play; it also allows staged gradual app release, as well as distribution of pre-release app versions to testers.

Backend as a service (BaaS), sometimes also referred to as mobile backend as a service (MBaaS), is a service for providing web app and mobile app developers with a way to easily build a backend to their frontend applications. Features available include user management, push notifications, and integration with social networking services. These services are provided via the use of custom software development kits (SDKs) and application programming interfaces (APIs). BaaS is a relatively recent development in cloud computing, with most BaaS startups dating from 2011 or later. Some of the most popular service providers are AWS Amplify and Firebase.

<span class="mw-page-title-main">Appcelerator</span> Privately held mobile technology company

Appcelerator is a privately held mobile technology company based in San Jose, California. Its main products are Titanium, an open-source software development kit for cross-platform mobile development, and the Appcelerator Platform.

Wickr is an American software company based in New York City, known for its instant messenger application of the same name. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, and are designed for iOS, Android, Mac, Windows, and Linux operating systems. Wickr was acquired by Amazon Web Services (AWS) mid-2021 and discontinued the free version of the app in December 2023.

<span class="mw-page-title-main">Mirantis</span> Cloud computing software and services company

Mirantis Inc. is a Campbell, California, based B2B open source cloud computing software and services company. Its primary container and cloud management products, part of the Mirantis Cloud Native Platform suite of products, are Mirantis Container Cloud and Mirantis Kubernetes Engine. The company focuses on the development and support of container and cloud infrastructure management platforms based on Kubernetes and OpenStack. The company was founded in 1999 by Alex Freedland and Boris Renski. It was one of the founding members of the OpenStack Foundation, a non-profit corporate entity established in September, 2012 to promote OpenStack software and its community. Mirantis has been an active member of the Cloud Native Computing Foundation since 2016.

HashiCorp is a software company with a freemium business model based in San Francisco, California. HashiCorp provides tools and products that enable developers, operators and security professionals to provision, secure, run and connect cloud-computing infrastructure. It was founded in 2012 by Mitchell Hashimoto and Armon Dadgar.

Wercker is a Docker-based continuous delivery platform that helps software developers build and deploy their applications and microservices. Using its command-line interface, developers can create Docker containers on their desktop, automate their build and deploy processes, testing them on their desktop, and then deploy them to various cloud platforms, ranging from Heroku to AWS and Rackspace. The command-line interface to Wercker has been open-sourced.

Crashlytics was a Boston, Massachusetts-based software company founded in May 2011 by entrepreneurs Wayne Chang and Jeff Seibert. Crashlytics helps collecting, analyzing and organizing app crash reports.

Docker, Inc. is an American technology company that develops productivity tools built around Docker, which automates the deployment of code inside software containers. Major commercial products of the company are Docker Hub, a central repository of containers, Docker Desktop, a GUI application for Windows and Mac to manage containers. The historic offering was Docker Enterprise PaaS business, acquired by Mirantis. The company is also an active contributor to various CNCF projects, such as containerd and runC. The main open source offering of the company are Docker Engine and buildkit which are rebranded under the Moby umbrella project. The core specification, Dockerfile, still includes the company trademark, however.

<span class="mw-page-title-main">Netlify</span> American cloud computing company

Netlify is a remote-first cloud computing company that offers a development platform that includes build, deploy, and serverless backend services for web applications and dynamic websites. The platform is built on open web standards, making it possible to integrate build tools, web frameworks, APIs, and various web technologies into a unified developer workflow.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Pulumi Corporation is a software company based in Seattle, Washington. Pulumi develops a open-source infrastructure-as-code software.

References

  1. Tom Taulli (21 June 2014). "SourceClear: How The Founder Raised A $1.5M Seed Round". Forbes. Retrieved 28 November 2015.
  2. 1 2 Frederic Lardinois (11 June 2014). "SourceClear Raises $1.5M Seed Round For Its Software Security Platform". TechCrunch. Retrieved 28 November 2015.
  3. 1 2 Christina Mulligan (30 October 2015). "SourceClear raises funding to help improve software security". SD Times. Retrieved 28 November 2015.
  4. Deborah Gage (27 October 2015). "SourceClear Raises $10M to Secure Open-Source Code". Wall Street Journal. Retrieved 28 November 2015.
  5. Michael Mimoso (13 November 2015). "CSRF Flaw Patched in Popular Spring Social Core Library". Threat Post. Retrieved 28 November 2015.
  6. Asankhaya Sharma (24 November 2015). "Amazon AWS Java SDK Vulnerability Disclosure". SourceClear. Retrieved 28 November 2015.
  7. Sam King (9 April 2018). "Press Release: 'CA Technologies Acquires SourceClear, Advancing SCA Capabilities...'" . Retrieved 19 January 2023.
  8. 1 2 John K. Waters (16 November 2015). "Spring Social Vulnerability Fixed by a Newcomer". ADT Mag. Retrieved 28 November 2015.
  9. "SourceClear Frequently Asked Questions". SourceClear. Retrieved 2016-11-18.
  10. Jordan Novet (27 October 2015). "Developer-focused security startup SourceClear raises $10M". Venture Beat. Retrieved 28 November 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.