DigiCert today announced it has allied with ReversingLabs to integrate binary analysis and threat detection capabilities with a code signing service it provides.
Deepika Chauhan, chief product officer for DigiCert, said the addition of these capabilities to the DigiCert Software Trust Manager service would make it simpler for organizations to operationalize a methodology for securing their software supply chains. The capabilities are designed to be embedded within continuous integration/continuous delivery (CI/CD) pipelines.
In addition to being a certificate authority, DigiCert’s Software Trust Manager service automates code signing workflows. ReversingLabs, meanwhile, just added the ability to detect secrets exposed in application binaries to its Software Supply Chain Security (SSCS) platform. Those capabilities can identify secrets inadvertently left in applications as plain text, can identify secrets that can be discovered because of weak cryptography and also includes scripts that scan for malware and can generate software bills of materials (SBOMs).
Chauhan said when combined with DigiCert Software Trust Manager, it becomes possible for the two companies to provide a comprehensive approach to detecting malware, software tampering, inclusion of secrets and certificate misconfigurations in any type of software.
A recent ReversingLabs survey found 87% of respondents detected significant risks in their software supply chain in the last year, with software containing vulnerabilities (82%) followed by secrets leaked through source code (55%), malicious code (52%) and suspicious code (46%) posing the most serious risk to the business.
A full 88% said software supply chain security is an enterprise-wide risk, but only 60% said their software supply chain defenses were up to the task. Nearly two-thirds (65%) of respondents, however, acknowledged their organization’s software supply chain security program wasn’t as mature as it should be. As a result, 80% are currently focused on improving security for the software supply chain, with 96% noting a more comprehensive approach to software supply chain security that detects more than vulnerabilities is needed.
It’s not entirely clear just yet whether development teams or cybersecurity teams will be taking the lead in terms of driving the adoption of DevSecOps best practices to secure software supply chains. It is clear that securing software supply chains in the wake of a series of high-profile breaches is a much higher priority.
Erik Thoen, director of product management for ReversingLabs, said as a result, it’s only a matter of time before development teams and cybersecurity professionals are forced to work more closely together than they have in the past.
In the longer term, a wave of legislation in the U.S. and Europe will soon require organizations to embrace DevOps best practices to address increased potential liability that might stem from an application breach. A proposed Cyber Resilience Act currently being negotiated by the member states of the European Union seeks to require organizations that sell internet-connected hardware platforms to ensure both their devices and their software comply with cybersecurity best practices. In the U.S., meanwhile, a National Cybersecurity Strategy proposal put forward by the Biden administration seeks to hold organizations that collect data or build software more accountable for breaches.
While both proposals are a long way from becoming law, it’s clear governments around the world are concluding the only way to ensure better cybersecurity is to require it.