CA Technologies announced its acquisition of software composition analysis specialists SourceClear early this week with aims to incorporate SourceClear’s SaaS-based SCA tool and proprietary vulnerability database with their Veracode cloud platform.
“We are excited about what this acquisition means for our customers in terms of increased support for SCA in DevSecOps environments and the ability to confidently use open source components without introducing unnecessary risk,” Sam King, general manager of CA Veracode wrote in a blog post
According Sam King, open-source libraries are becoming extremely important because of its ability to save time, reduces inefficiency, and increase developer productivity, but these libraries come with risks. King revealed that 88 percent of Java applications recently analyzed by CA had at least one component-based vulnerability. “With the acquisition of SourceClear, we’re taking a great step forward in bringing that same combination of security, productivity and efficiency to the way developers use and test open source libraries, so that our customers can use open source libraries to accelerate software development without adding unmanaged risk,” King wrote in a blog post.
King says the SourceClear’s SCA solution can not only inform the user about vulnerable components, but also whether that component is being utilized in the application, reducing false positives related to unused components in an open-source library which may be insecure, but inconsequential to a project.
According to projections by SourceClear, there will be nearly a half-billion open-source libraries available to developers within a decade, and the company has aimed to future-proof their utility.
“In addition to tracking public sources like CVEs, SourceClear constantly data-mines millions of commits in open-source libraries, watches thousands of bug-trackers and parses the change-logs of popular libraries,” King wrote. “As a result, customers can even find vulnerabilities that have not been reported to NVD. Each issue includes prescriptive fix information, much of which can be automated to increase speed.”
