CA Technologies acquires SourceClear in DevSecOps push
CA Technologies has agreed to purchase SourceClear in a bid to improve the security of software and SaaS-based applications in the enterprise.
Financial details were not disclosed.
Security
Sam King, General Manager of CA Veracode, said in an announcement that the acquisition is intended for the improvement of DevSecOps and to mitigate the risks that open-source software poses.
Founded by Mark Curphey, the creator of the Open Web Application Security Project (OWASP), SourceClear is the developer of a SaaS-based software composition analysis tool.
The tool draws on a vulnerability database beyond the National Vulnerability Database (NVD) to scan and detect which applications utilize vulnerable components, as well as whether or not the vulnerable functionality is in active use -- which may reduce false positive rates when bug scanning through open-source libraries.
Given this knowledge, security and development teams can tackle the most high-priority issues first -- and dismiss the components which are not in active use -- which may save time, money, and reduce the risk posed to the enterprise due to some open-source systems.
"With the acquisition of SourceClear, we're taking a great step forward in bringing that same combination of security, productivity, and efficiency to the way developers use and test open source libraries so that our customers can use open source libraries to accelerate software development without adding unmanaged risk," King says.
Open-source systems and libraries are of incalculable value to enterprise players. According to SourceClear, there will be close to half a billion open-source libraries available to developers within a decade.
However, open-source systems can also pose risk, due to the nature of their development, patching, and bugs which may or may not be picked up by developers. Researchers from Black Duck found that in 2017, the majority of enterprise apps in the financial industry which used open-source software contained vulnerabilities -- some of which were over four years old.
See also: Open-source software management fails to meet security concerns
"In some cases, the vulnerabilities causing breaches are well known and documented," King added. "But in other cases, they are not included in the National Vulnerability Database. And with the number of open source libraries only growing it can be difficult for companies to keep track of which component and which version are secure."
CA Technologies intends to fully integrate SourceClear technologies into the Veracode platform, and hopes that this gives clients the opportunity to take advantage of open-source technologies without "introducing unnecessary risk."