One of the lessons of software supply chain attacks like the recent hack of voice over IP (VoIP) provider 3CX is that development organizations need a broader set of tools to root out software supply chain attacks. Existing technologies like static- and dynamic application security testing (SAST and DAST) as well as software composition analysis (SCA) are necessary but insufficient to uncover sophisticated adversaries targeting development organizations and CI/CD pipelines.
That’s why ReversingLabs and Synopsys Inc. announced today that they are teaming up to combat software supply chain threats and boost software resilience. Under the terms of a new partnership agreement, Synopsys will resell the ReversingLabs Software Supply Chain Security (SSCS) platform standalone, or paired with Synopsys Black Duck software composition analysis (SCA) technology. The partnership will allow customers to spot vulnerabilities, malware and tampering within commercial, third-party and open-source software modules, providing a comprehensive view of software package risk built up along the software supply chain.
The partnership provides application security teams with critical capabilities through the ReversingLabs Software Supply Chain Security platform. They include binary software analysis; industry-leading package decomposition; comprehensive SBOM creation that captures both open-source and third-party software components and dependencies; as well as robust malware and software tampering detection.
Boosting Synopsys platform with malware, tampering detection
Synopsys’s Black Duck SCA manages the security, quality and license compliance risks in open source code in applications and containers. As a result of the new agreement, Synopsys customers will also get the benefit of ReversingLabs Software Supply Chain Security, which scans commercial third-party components for malware, secrets and instances of software tampering. The ReversingLabs Software Supply Chain Security capabilities provide security risk insight to quickly identify malware, software tampering, and anomalies inserted in software to prevent supply chain attacks before release. Together, the two products will provide customers with comprehensive, actionable software bills of materials (SBOMs) throughout the software supply chain.
Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement:
“ReversingLabs provides the perfect complement to our expertise in open source risk and application security by layering in some of the most advanced security technology available for identifying and eliminating security risk from commercial and third-party software components. Together, we can produce accurate and complete SBOMs that include all sources of software in the supply chain.”
Supply chain hacks expose blind spots
The challenge facing application security teams around software supply chain attacks was evident in the recent attack on 3CX, a provider of enterprise VoIP technology. The incident came to light after endpoint detection products flagged a signed update to 3CX’s desktop client as malicious. But an analysis of the compromised module by ReversingLabs revealed that there were red flags in the compromised update, compared with earlier, “clean” versions of the desktop client. Those could- and should have been spotted by 3CX before the update was signed and shipped to thousands of 3CX customers to install.
Critical to ReversingLabs Software Supply Chain Security’s ability to detect supply chain compromises is the ability to track the evolution of software packages through differential analysis of their contents. The platform can analyze the properties of each software component in the release, as well as the respective behavior of those components. Odd or inexplicable changes between builds are cause to investigate a possible compromise. This capability is particularly valuable when analyzing software packages that include components that are pre-compiled offsite and, therefore, are not subject to review prior to deployment.
ReversingLabs CEO Mario Vuksan said in a statement:
“Recent software supply chain attacks require a new approach to software resilience. Since our inception, we have been providing unmatched depth of binary component analysis and file threat intelligence. With Synopsys, our combined efforts will not only ensure regulatory needs are met but truly enable developers and security managers to avoid software threats and prioritize and action software risks and quality issues.”
Get ready for actionable SBOMs
With Synopsys and ReversingLabs, organizations can track open-source components, dependencies, vulnerabilities and license compliance risks, while also conducting deep binary scanning of commercial and third-party party components to identify instances of software tampering and embedded malware in software packages.
The attack surface of software releases is often more significant than most development and application security teams realize. Release packages and containers can have thousands of executable components with many layers of dependencies from internal, commercial, open-source and third-party suppliers, often beyond the discovery scope of many software composition analysis tools. As software packages continue to grow, application security tools need to evolve to assess risks such as malware and tampering lurking in gigabytes of non-executable files.
By adding malware and malicious code detection on top of comprehensive SBOM generation, Synopsys and ReversingLabs are empowering application security teams to more quickly address evolving supply chain threats while also helping them to keep abreast of changing regulatory and compliance demands stemming from Executive Order 14028 and industry specific initiatives focused on software transparency, SBOMs and more.
If you want to learn more about this exciting, new partnership, read the detailed blog post on Synopsys’s blog.
If you want to learn how application security is evolving to tackle supply chain security, check out our Special Report: The Evolution of Application Security. Plus: Explore ReversingLabs Software Supply Chain Security and its new secrets capabilities — and get started with a free trial today.