Jim Morrisroe, newly named president of software security startup SourceClear, worked at the dawn of the modern unified communications and cloud eras and is now keen to lend his management talents to the world of security—which he said he considers the most pressing needs in technology today.
The vision for SourceClear, founded in 2013, is to enable organizations to use open-source code securely.
Morrisroe was previously CEO of OpenStack Piston Cloud Computing, which Cisco acquired in June. Prior to Piston, Morrisroe was at messaging vendor Zimbra, which Yahoo acquired in 2007 and then sold to VMware in 2010.
Morrisroe will report to SourceClear founder and CEO Mark Curphey, whose background includes working at Foundstone, a division of McAfee, where he helped build tools and services to enable security.
SourceClear is an online platform that connects into an existing development pipeline, Curphey said. As such, SourceClear can integrate with continuous integration and deployment technology to identify potential risks as part of a DevOps workflow.
With open-source code libraries, developers can potentially use code in their own applications that hasn't been updated and has known vulnerabilities. That's one of the use-cases for the SourceClear service, which can check to see if the code a developer is using in an application has known vulnerabilities.
SourceClear is also able to identify non-publicly disclosed vulnerabilities, Curphey explained, adding that the company has developed technology that can identify patterns in software that can be indications of a potential vulnerability. There are often more unknown vulnerabilities in source code than issues that have already been publicly disclosed, he said.
There are multiple challenges with discovering unknown vulnerabilities that have not yet been publicly disclosed. SourceClear is in the process of determining how it should be reporting issues to upstream projects in a way that doesn't jeopardize users or potentially empower attackers, Curphey said. The risk is that if SourceClear's service is able to identify a vulnerability that isn't publicly known that, if leaked, that vulnerability information could potentially be weaponized by an attacker.
Today, SourceClear works with Java, Ruby and node.js, with goals to have Python coverage in the coming weeks. Morrisroe said that the plan is to have a set of announcements in the first quarter of this year to help fuel the developer momentum.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.