CA Technologies is buying SourceClear, a startup that helps developers build safer software by scanning for security vulnerabilities in code.
Founded in Seattle in 2013 and now based in San Francisco, SourceClear has raised a total of $11.5 million in two rounds of funding to date. The startup was conceived by Mark Curphey, a British cybersecurity veteran who created the so-called Open Web Application Security Project, or OWASP, a nonprofit organization devoted to improving the security of software.
CA and SourceClear declined to disclose the terms of the deal.
“There is a lot of inherent risk in leveraging open source libraries to assemble software,” said Sam King, general manager for CA Technologies’ Veracode unit, SourceClear’s new home which specializes in application security, in a statement emailed to Fortune. One recent consequence of that risk: last year’s Equifax data breach, which was caused by the big three credit bureau using a vulnerable version of Apache Struts, a popular open source software project.
Veracode, bought by CA for $614 million in cash a year ago, plans to bolster its existing so-called software composition analysis offering with SourceClear’s tools. “We had an incredible roadmap ahead of us for our current SCA [software composition analysis] solution, but we realized that we could bring these features (and more) to market faster by acquiring a company like SourceClear,” King said.
A recent, yet unreleased survey of 400 application developers across the U.S., UK and Germany, found that only about half—52%—said they update their coding components when new security vulnerabilities come to light. Failing to patch bugs leaves holes in software that hackers can exploit to nefarious ends. Veracode shared a preview of that research, conducted by Vanson Bourne, a market research firm, with Fortune ahead of its publication, slated for this week.
Curphey is set to become vice president of business unit strategy in CA’s Veracode division, reporting to King.