| SourceClear (now Veracode) | |
| Founded: | 2013 |
| Founder: | Mark Curphey |
| Hq Location City: | San Francisco, California |
| Hq Location Country: | U.S.A. |
| Key People: | Mark Curphey (CEO)Paul Ambrosini (Co-Founder)Jason Nichols (Co-Founder)Asankhaya Sharma (Head of R&D)</small> |
| Products: | Application Security Tools |
SourceClear or SRC:CLR (later part of Veracode) was an American software company with its namesake security tool for software developers. SourceClear focused on open-source software development, plugging into developers' existing workflows and examining security risks of open-source and third-party code in real time. The company was headquartered in San Francisco, California with an office in Singapore. It had customers in the technology, social media, retail, finance, and defense industries. In October 2015, it announced a $10 million Series A round of funding. In 2018 it was acquired by CA Technologies; after which it was folded into Veracode.
SourceClear was founded in Seattle in 2013 by Mark Curphey, the original founder of OWASP, who served as the company's CEO, and who described SourceClear as "the only company on the planet 100% dedicated to building security tools for software developers."[1]
In June 2014, SourceClear raised a $1.5 million seed round from a group of investors, including the former CSOs at Yahoo!, Verisign and Symantec and from Frank Marshall, the first VP of engineering at Cisco Systems.[2] It raised an additional $10 million in October 2015 from Index Ventures and Storm Ventures in its Series A round of funding, with the intention of expanding its executive, engineering and research team.[3] [4]
SourceClear again made headlines in November 2015, when it identified a flaw in Spring Social, a popular Java application library. The flaw had allowed hackers to impersonate users on social media. SourceClear privately disclosed the flaw to Pivotal Software, which then patched the library.[5] Later that month, SourceClear also demonstrated a Denial-of-service attack based on the Amazon AWS SDK for Java.[6]
SourceClear was purchased by CA Technologies and became a part of Veracode in 2018.[7] The srcclr CLI tool became a part of Veracode's integrated product suite.
The focus of SourceClear was open-source software development. Since developers are increasingly consuming and extending free open-source and third-party components and libraries, their products can become vulnerable to hacking. SourceClear's tools helped developers by telling them what open-source they are using, who created it, what it is doing (or could do) in their applications and which components have vulnerabilities. They became a part of the developers' workflow and examined security risks of open-source code in real time. Their analytics and machine-learning tools analyzed open-source components and report on their origin, creation, and impact on applications. They informed developers which vulnerabilities could be exploited by hackers and how to prevent them. The service also allowed users to scan their GitHub repositories and run in their continuous integration systems.
SourceClear supported Java, JavaScript, Ruby on Rails, Node.js, and Python.[8] with previously announced plans to support Scala and C/C++.[9] [10]