ReversingLabs this week launched a binary analysis tool that uses machine learning algorithms to identify risks before and after applications are deployed.
Erik Thoen, vice president of product management for ReversingLabs, said Spectra Assure makes use of the same core artificial intelligence (AI) technologies the company uses to discover malware within binaries to analyze the entire software package, including first-, second- and third-party components, to identify potential threats.
Thanks to the use of AI, Spectra Assure is able to scan applications that are gigabytes in size in minutes or hours, depending on their complexity, noted Thoen.
That approach is critical because attacks launched against applications are more often aimed at binaries that are deployed in production applications rather than the source code used to create them, he added.
In addition, Spectra Assure can be applied to both open source and proprietary software, said Thoen. In contrast, many legacy scanning tools are designed to only surface potential issues in open source software, he noted.
Spectra Assure is designed to be used by both producers of software and the organizations that deploy software, said Thoen. Organizations that develop software need to be able to identify any security potential issues that may have arisen during the build process, while organizations that consume software need to be assured that there are no issues that will later compromise their IT environments, said Thoen.
ReversingLabs is attempting to fill a gap that exists in many software supply chains between when a software build is completed and deployed, said Thoen. While developers may scan source code for vulnerabilities, it’s not uncommon for changes to be made during the build process that inadvertently create vulnerabilities, said Thoen.
It’s still not clear which teams within organizations are assuming responsibility for the software supply chain. In many cases, DevSecOps teams are securing the software supply chain, but in other instances, cybersecurity teams have been tasked to lock them down. Among organizations that consume software, responsibility for application security might be assumed by either the cybersecurity teams or a procurement office responsible for purchasing software.
Regardless of how software supply chain security is managed, the number of attacks against them has risen sharply. A recent ReversingLabs report found there has been a 1,300% Increase in malicious packages found in open source software platforms since 2020.
Ultimately, it’s only a matter of time before more stringent regulations force the software supply chain security issue. A recent executive order issued by the Biden administration requiring federal agencies to secure software supply chains is a harbinger of stricter controls that enterprise IT organizations must implement. DevSecOps teams, in the meantime, have an opportunity to revisit the workflows that were created in an era where developers tended to overly trust the integrity of software components downloaded from open repositories.
Of course, it may require a catastrophic event to truly galvanize organizations into action, but one way or another, application security is going to improve. The only issue remaining to determine is how expensive a proposition that will be given the potential fines that are likely to be one day levied.