The wealth of open-source code on the web is a major boon for developers, but using outside components in an application carries risks. Many of the biggest security vulnerabilities in recent memory, including Heartbleed, were introduced to services through code taken from public repositories.

WhiteSource Software Ltd. is working to alleviate the risk. The Israeli startup, which announced today that it has raised $10 million in funding, offers a platform that can automatically scan external application components for problems. This includes not only security issues but also code licensing requirements that might create copyright issues if left unaddressed.

The first component of WhiteSource is a browser extension designed to preempt any potential legal problems. It runs in the background and shows important information as a developer explores open-source repositories, including whether or not a project meets their company’s compliance policies. Then once they integrate the code into an application, the backend component of the startup’s offering starts looking for more subtle problems.

WhiteSource scans each open-source component for security weaknesses cataloged in threat intelligence sources such as the National Vulnerability Database. At the same time, another mechanism checks the license restrictions on the code and automatically generates the necessary legal documentation.

It works similarly to the compliance automation service offered by FOSSA Inc., which raised $2.2 million earlier this year from a group of investors that included Salesforce.com Inc. Chief Executive Marc Benioff. Both the startup and WhiteSource periodically re-check code after the initial assessment to help developers identify any problems that might emerge over time. When the latter platform spots an issue, it sends an alert to the necessary personnel.

WhiteSource will use the capital from today’s round to build more features for the software and expand internationally. The investment was led by 83North with support from David Strohm of Greylock Partners and Microsoft Corp.’s venture capital arm.

Mony Hassid, who runs the company’s investment activities in the EMEA region, said that its participation came as part of “our drive to make open-source software practical, productive and secure.” Microsoft contributes to numerous community-led software projects in an effort to foster ties with the developer community, which is a key source of revenue. Making it easier for companies to adopt components from public repositories can provide an indirect but significant boost for the open-source movement.

WhiteSource is already used at hundreds of firms, including Comcast Corp., Nokia Corp. and game development giant King Digital Entertainment plc.  

Image: StockSnap