The SourceClear Blog

Secure Continuous Delivery with SourceClear

Posted By: Brian Doll
October 12, 2016

Continuous Delivery is all about speed. Think fast, build fast, ship fast. But how do you ensure your software is safe when you’re so focused on speed?

By automating security checks with every build you can ship faster than ever, knowing you are delivering a safer product to your customers. That’s Continuous Delivery, Secured.

SourceClear brings Secure Continuous Delivery to the Atlassian Stack

Posted By: Brian Doll
October 11, 2016

Today we’re thrilled to announce that SourceClear is bringing automated security analysis to millions of developers building software with the Atlassian Stack. Continuous Delivery, Secured.

Comparing vulnerable methods with static analysis

Posted By: Darius Foo & Asankhaya Sharma
September 29, 2016

In this blog post, we will talk a bit about traditional static analysis - what it is, what it’s used for, and where our vulnerable methods analysis fits in amongst the other kinds of static analysis.

Wikipedia tells us:

Static program analysis is the analysis of computer software that is performed without actually executing programs

Why wouldn’t we want to execute a program in order to analyze it? The main reason is that we gain stronger guarantees about whether our analyses will terminate (modulo bugs in it). Testing a program by executing it can only ever reveal the presence of bugs in paths that are exercised during the execution, on the other hand, static analysis can reason about all possible paths in the program.

A static analysis tells us about the possible runtime behavior of programs. What it computes is essentially an approximation – it cannot have knowledge of the exact inputs a program receives at runtime, for example, so it can only operate based on abstractions of them. This may lead to false positives or false negatives, depending on how conservative or permissive an analysis is. Advancing the accuracy of current analysis techniques is an active area of research.

Static analyses are usually found in compilers, IDEs, linters, and standalone agents (like SourceClear’s CI agent) that run as part of a continuous integration pipeline. They detect errors, discover properties about programs, and help us write better programs in general.

Vulnerability Disclosures in an Open Source World

Posted By: Asankhaya Sharma
September 27, 2016

Before open source software took over the world, people bought software from companies with cold hard cash. There were rolex watches involved, but there were also regular security updates, too. Crazy, right?

Vulnerability disclosure for commercial software typically goes like this:

  • A security researcher sends an email, encrypted with PGP, to the vendor’s security team letting them know that a security issue exists
  • Once they acknowledge receipt, a more detailed disclosure of the vulnerability is shared
  • The vendor will then establish a timeline for fixing the issue, validating that the fix actually works, and planning the release of the fix.
  • Once the fix is released, the vulnerability is disclosed publicly.

While this process usually works well for commercial software, there are many ways that it can fall apart when disclosing open source vulnerabilities.

Dynamic Analysis is the only way

Posted By: Mark Curphey
September 26, 2016

SourceClear helps you use open source software safely. In order to analyze the security of your projects, we need to solve two problems:

  • Identify the complete list of dependencies and versions in use.
  • Determine which vulnerabilities apply to those dependencies.

To solve the first problem, there are three typical approaches:

  • Static analysis - parsing a build file
  • Binary analysis - inspecting the compiled code
  • Dynamic analysis - inspecting the build process

We’ve been at this for a few years now, and our experience has taught us that only one of these methods actually works - dynamic analysis, running inside the build process.

Yaqin has joined SourceClear

Posted By: Yaqin Zhou
September 15, 2016

Hi all! I’m Yaqin, working as a Security Researcher in the R&D team in Singapore.

Easier Configuration for Continuous Integration

Posted By: Sean Kinzer
September 14, 2016

We’ve made some improvements to how the SourceClear agent can be configured that make it easier for running inside continuous integration environments.

Introducing Branch & Tag Specific Scanning

Posted By: Sean Kinzer
September 12, 2016

Scanning a specific branch or tag in your projects just got a whole lot easier. If you use feature branches, development branches, release tags, or even use branches to separate different projects in the same repository, you can now specify any existing branch or tag for your SourceClear scans.

Hendy Chua has joined SourceClear

Posted By: Hendy Chua
September 1, 2016

Create GitHub issues directly from SourceClear

Posted By: Brian Doll
August 10, 2016

Integrating SourceClear with your issue tracker makes fixing and updating things a breeze. In addition to our JIRA integration, you can now create GitHub Issues directly from your vulnerability reports.

These new issues will automatically include:

  • Which library is vulnerable
  • The nature of the dependency (direct or transitive)
  • The recommended safe version to upgrade to
  • A code block that includes the suggested fix

< Page 2 of 22 >