SourceClear Announces First-of-its-Kind Domain-Specific Language to Identify Open-Source Vulnerabilities

New Security Graph Language empowers security researchers and the next generation of code analysis tools to uncover security issues in open-source code in real-time

San Francisco, California, UNITED STATES

SAN FRANCISCO AND SINGAPORE, Aug. 24, 2017 (GLOBE NEWSWIRE) -- SourceClear, the leader in security automation and risk management for open-source code, today announced the Security Graph Language (SGL) -  the industry's first domain specific language designed to identify security issues in open-source code. SGL allows users and next-generation tools to analyze billions of lines of code in millions of open-source libraries that are stored in a graph database and share the findings in real-time in an unambiguous, machine readable format.

The language specification and reference architecture enables an in-depth analysis of any library the minute it is published upstream, and SourceClear will be working with the open-source community to use and extend the technology later this year, enabling malicious code to be detected before it is ever used in any organization.

The vast majority of security issues in open-source code remains undetected today because the current state of the art is to use static signatures looking for previously reported issues. The volume, complexity, and frequency of open-source code publishing requires a more sophisticated, behavioral technique to ensure real-time protection from entire classes of vulnerabilities, malware, adware, backdoors and a host of emerging threats including vulnerable code that has been cut-and-paste across libraries. SourceClear predicts that by 2027 - at the current publishing rate - there will be more than 450M new library versions. SGL is defining the new standard to enable organizations to use open-source safely by facilitating security researchers to describe new issues in a format that is unambiguous and complete.

The SGL project is led by SourceClear Director of R&D, Dr. Asankhaya Sharma. A private set of customers has been involved in the early stages of the language design.

“Analyzing open-source required a fresh approach that turns out was more akin to DNA gene sequencing than it was to traditional security analysis,” said Mark Curphey, CEO and Founder of SourceClear. “Being able to uncover the true impact of vulnerabilities like HeartBleed and uncover similar issues quickly and at scale will revolutionize the industry and make the entire world a safer place.”

Adoption of open-source in the enterprise is growing at an unprecedented rate. In a growing number of instances, the majority of code used in modern applications is open-source. This trend is exposing businesses to risks that can and must be prevented. Security and compliance professionals need visibility into the code and licenses in use, the ability to identify and remediate security issues quickly and with accuracy, as well as setting the controls to prevent new ones from creeping in. SourceClear is investing heavily in integrations for security professionals to better collaborate with developers by providing integrations such as GitHub, Atlassian Jira, Jenkins, and CodeShip just to name a few.


SourceClear plans to open-source the language specification and a reference architecture in late 2017 and will open up a community researcher program in early 2018. Qualified security researchers will be given access to the language, tools, infrastructure, and dataset to research and disclose security issues in open-source code at scale. and

SGL is being demoed live for the first time at HITB in Singapore in a keynote by SourceClear CEO and Founder Mark Curphey.

Supporting Quotes

“Threats and exploits to open-source technologies have been notoriously difficult to detect with traditional tools and the old signature-driven approaches are no longer adequate in providing appropriate defense,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer. “The SGL project is a great step forward to providing a collaboration platform for the industry to address some of the most complex and advanced threats and contribute to the safety of open-source tools and technologies, a mission that CrowdStrike is deeply committed to.”

Additional Resources

About SourceClear

Organizations use SourceClear to automate security and manage risk for open-source code. Founded in 2014 with offices in San Francisco and Singapore, we are a team of software engineers and scientists helping the world build secure software.

For more information visit


Contact Data