A local municipality partnered with ReversingLabs to operationalize Spectra Assure™ as part of their supply chain risk management program, aligning with NIST 800-53 controls. Like any organization that relies on third-party software, the city’s GRC and Security teams needed to prioritize business velocity without sacrificing security controls. With constituents spread across multiple local agencies, GRC and Security team members often faced questions as to why certain software is not permitted for use, despite being deemed business-critical by end users. The GRC and Security teams needed a way to clearly showcase embedded software risks to these non-technical stakeholders and demonstrate what secure, trusted software looks like.
Spectra Assure provides the most comprehensive SBOM and risk analysis, and is securely shareable. This allows the GRC officer to quickly analyze software requests, and then share the Spectra Assure SAFE Report with internal stakeholders and vendors to communicate and support their Go/No-Go decision.
With an end user population of roughly 16,000, the city’s GRC and Security Operations teams face a high volume of requests from end users to download and deploy untested third-party commercial software. Previously, the city relied on security rating services which provided only a high-level overview of a software provider’s risk exposure, but no details into the vendor’s security practices or the software package itself. Security and GRC stakeholders recognized that this would not prevent malicious software from being installed on end user devices.
Spectra Assure provided the city’s GRC and Security Operations teams with a primary control to assess whether third-party software packages were safe to use. Spectra Assure’s complex binary analysis provided immediate value by deconstructing and analyzing software in minutes without the need for source code. For example, it analyzed a popular free-to-use file management software in minutes, highlighting a number of security issues in the process. This approach provides the city’s GRC and Security Operations the information they need to make informed decisions on whether to accept or deny software requested by end users across multiple departments and agencies.
The city’s Governance, Risk, and Compliance (GRC) Office uses Spectra Assure to analyze commercial and freemium software packages requested by their end users to determine if a software package is safe to deploy to their environment or end user machines.
The shareable Spectra Assure SAFE Report provided the Security and Risk staff a means to identify and report on the dangers of software threats like malware, vulnerabilities, and suspicious behaviors. Security issues are clearly labeled and categorized by risk category and indicate which findings are in direct violation to the agency’s security policy. For stakeholders outside the Security and Risk organization, SAFE reports provide a digestible means to understand how third-party software packages expose the city to unnecessary risk.
With software supply chain risk as a growing priority for the local government, Spectra Assure provides the Security and GRC organizations with the necessary controls to comply with NIST’s security standards. The city’s third-party risk management strategy is rooted in NIST 800-53 controls but lacks an automated control to assess software required by their constituents.
Spectra Assure’s analysis serves as the de facto Go/No-Go decision point for the city’s third-party risk management framework. The city uses criteria outlined in NIST 800-53 to determine whether third-party software is eligible for analysis and ongoing monitoring. This criteria includes factors such as pervasiveness of the software, privileged access, interaction with critical infrastructure, and interaction with essential services – to name a few. Software packages that meet these criteria go through Spectra Assure as the primary control, enabling the GRC and Security teams to apply security best practices to their software acquisition process.