Modern development frameworks and libraries can make writing software quite a bit easier, but at the same time, hackers are also aware of this and they specifically target popular frameworks to find potential exploits. Unless you constantly track alerts and update your frameworks religiously, there is a good chance you end up vulnerable sooner or later. SourceClear believes that the best approach to tackle this problem is to build security tools right into the development tools that developers are already using.
Today, the company announced that it has raised a $1.5 million seed round from a group of investors that include Justin Somaini, the Chief Trust Officer at Box.com and former CSO at Yahoo; Frank J. Marshall, the former VP of Engineering at Cisco Systems Inc.; Amos Michelson, the Chairman of Kardium and Mary Cirillo, a board member at Thomson Reuters (TRI).
The company’s team has an impressive amount of experience in the security business. SourceClear was founded by a number of security veterans with experience at companies like Microsoft and McAfee’s Foundstone division. Its CEO Mark Curphey previously headed the software security program and Charles Schwab and led the information security tools team and Microsoft.
The company’s advisory board is similar impressive and includes Box’s Somaini, as well as privacy expert and author Siobhan MacDermott, CrowdStrike CEO and former McAfee global CTO George Kurtz, software security expert John Viega and user experience expert Charlie Claxton.
So what does the company actually do? It uses analytics and machine-learning tools to monitor code right where it’s created — in the developer’s IDE. Right now, the service is only integrated into Eclipse, but the team plans to launch support for Visual Studio and JetBrains’ various IDEs soon. Users can also use the service to scan their GitHub repositories.
“Developers are the ones burdened with security failures,” said Frank Marshall, former VP of Engineering at Cisco Systems Inc. “By operating within developers’ workflows and helping them find and fix issues in real-time, SourceClear is addressing the biggest security vulnerability: The inability of organizations to distribute the right information to the right people at the right time.” He also previously argued that trusting software security to developers is “the fastest, cheapest, most efficient, and certainly most secure engineering workflow possible,” but to do so, developers have to be empowered with big-picture information about the whole development process.
This is only one approach the company is taking, though. It also plans to launch the ability for companies to set their own security rules for developers soon.
In addition, the team plans to release server agents to alert users of newly discovered vulnerabilities that have already been deployed in production code, as well as integration into continuous integration servers to stop vulnerable code from ever getting deployed.