How GitLinks plans to protect companies from open source vulnerabilities

Written by Kelly O'Halloran
Published on Dec. 19, 2017
gitlinks austin
photo provided by gitlinks

Remember Equifax’s massive security breach this summer? The one that affected 143 million Americans?

Turns out, the company, knee-deep in fallout from the fifth largest data breach in history, has decided to use open source coding as its scapegoat.

“Equifax had been using open source code that had a known vulnerability, and they didn’t update the component,” said Ian Folau, CEO and co-founder of GitLinks. “Hackers knew the vulnerabilities existed, and they were able to exploit it.”

With open source, also known as public code, developers can pull and paste existing code off the internet to use as foundation for their own products.

“No one has to build code from the ground up anymore; that’s why we can build a website in a weekend,” said Folau, “All the parts are already out there, and we just have to bring and paste it together.”

While public code makes it easier for developers to build products faster, Folau said tracking open source code — and ensuring it’s secure and legally compliant — is a growing problem for companies.

“We make open source safe to use."

Enter GitLinks, a newcomer to Austin by way of New York City. The company automatically alerts tech leadership when someone on their team uses open source.

“We make open source safe to use,” said Folau, who spent a decade in the army working for the military intelligence and information security office.

In addition to identifying when open source has been utilized, GitLinks’ platform keeps an updated inventory of open source components and monitors for known vulnerabilities and licensing compliances.

Without something like this in place, Folau said DevOps teams typically log open source codes in a spreadsheet that they send off to the security team, legal team and IT team for approval.

“That takes about a month to get approval,” said Folau. “Think how fast developers are expected to work and ship product while waiting on an approval for a month. It’s ridiculous and not even practical. But there’s no other option. With GitLinks, when developers want to use open source, we can check immediately.”

Folau co-founded GitLinks with Nwamaka Imasogie after they met at Cornell Tech. Borne out of the duo’s capstone project in graduate school, GitLinks originally evaluated the quality and reliability of open source software. After meeting with C-levels from eBay and AOL, the pair realized just how hard it was for companies to track open source adequately and shifted focus.

GitLinks officially launched last week, and Folau said he and his team will focus on collecting feedback from early adopters and continue to scale. The team has seven employees now, with plans to add another six throughout the year.

Explore Job Matches.