Securing vulnerabilities in code is an undertaking that requires community effort to carry out. Could an open-source program that checks for vulnerabilities be the answer?

Ensuring a cloud application is secure is a time-consuming and expensive process, one that can have disastrous consequences if not done right. Deepfence Inc. intends to make the process not only easier and quicker, but more secure to boot.

“Security is built around public knowledge. When there are vulnerabilities, they’re shared with the community,” said Owen Garrett (pictured), head of products and community at Deepfence. “And we firmly believe that we should provide open-source, accessible tools that take that public knowledge and make it easy for anybody to benefit from it.”

Garrett spoke with theCUBE industry analyst Keith Townsend at the recent KubeCon + CloudNativeCon Europe, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed vulnerability scanning for application developers. (* Disclosure below.)

A software platform that benefits all

The challenge that making a secure program brings is something Deepfence hopes to solve. The company’s new software platform ThreatMapper is an open-source solution that can scan a program during development and find exploits possible in the code with a constantly updating list of virus definitions.

“You can use [ThreatMapper] to then scan and inventory your applications anytime you want and say, is this application still secure or are there new vulnerabilities disclosed recently that I didn’t know about?” said Garrett. “And we make the user experience as easy as we can.”

Using a traditional solution, a company may hide its virus definitions and known exploits behind a paywall. Deepfence believes in open-source security as it’s their belief hiding vulnerability and virus definitions behind paywalls is unethical, especially when allowing open dissemination of these definitions could prevent identity theft of consumers data. 

“That value is out there. It’s just about getting it into the hands of users, of developers,” Garrett stated. “And what we will do is we’ll take public feeds, like the CVEs from the NVD, National Vulnerability Database, we’ll take feeds from operating system vendors, for language packs, and then we help organizations understand the context so they can unlock the value.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the KubeCon + CloudNativeCon Europe event:

(* Disclosure: TheCUBE is a paid media partner for the KubeCon + CloudNativeCon Europe event. Red Hat Inc., the main sponsor for theCUBE’s event coverage, the Cloud Native Computing Foundation, and other sponsors do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE