Software Assurance Foundational Evaluation (SAFE)

What is the SAFE report?

The Spectra Assure™ Software Assurance Foundational Evaluation (SAFE) Report delivers the most comprehensive SBOM and risk assessment of any binary to demonstrate what secure, trusted software looks like.

Spectra Assure’s AI-driven Complex Binary Analysis recursively deconstructs large, and complex software packages to identify embedded threats like malware, tampering, malicious behaviors, exposed secrets, and more. This data is then synthesized into an easily digestible, actionable, and shareable SAFE report that helps to assess embedded software risks and threats, demonstrate compliance, and attract and retain customers.

The SAFE report combines an SBOM with a comprehensive software risk assessment. Its contents exceed regulatory expectations and demonstrate a level of analysis well beyond the scope of SBOMs and traditional security testing tools and methods.

Why is the SAFE report important?

The SAFE report fills a much needed gap left behind by traditional AppSec tools, SBOMs, and traditional third-party cyber risk assessment methods that fail to adequately bring visibility to software supply chain risk and demonstrate due diligence to industry regulators and auditors.

Software supply chain attacks are increasing in cost and frequency:

The frequency of software supply chain attacks have seen triple digit increases according to Gartner, and costs of software supply chain attacks will rise 200% from $46 billion in 2023 to $138 billion by 2031.

By adopting SAFE, organizations are better equipped to safeguard against the complex and evolving nature of software supply chain threats, ensuring a more secure and resilient digital infrastructure.

Shifting regulatory/legislative climate:

Multiple regulatory agencies in both the United States and European Union have committed to curbing cybersecurity threats with new guidance, regulations and penalties:

White House E.O. 14028: This directive mandates the creation of standards, tools, best practices, and guidelines to strengthen the cybersecurity posture of the federal government, underscoring cybersecurity as a national priority.
Securities and Exchange Commission: The SEC has heightened its focus on cybersecurity risks, emphasizing transparency for investors and stakeholders in the event of a cyber incident.
Food and Drug Administration: By issuing guidance on cybersecurity practices for medical device manufacturers, the FDA aims to protect patient safety and the integrity of medical devices from cyber threats.
European Union: The Digital Operational Resilience Act (DORA) and the European Cyber Resilience Act (ECRA) are setting new standards for cybersecurity and resilience, mandating strict cybersecurity practices for both software producers and enterprise buyers.

The SAFE report aligns with the rigorous expectations of these diverse regulatory bodies, enabling organizations to navigate the intricate regulatory landscape, ensuring compliance while fortifying their software supply chain defenses.

CISO liability

The CISO role has been elevated in organizations and, with it, comes increased scrutiny and personal liability. The SEC are citing laws including the Securities Act of 1933 and the Securities Exchange Act of 1934 to hold CISOs personally accountable for cybersecurity lapses with penalties ranging from fines, all the way to jail time.

The SAFE report emerges as a crucial tool for CISOs by synthesizing software supply chain risk and threat data into clear, digestible and actionable insights for technical and non-technical stakeholders. The SAFE report enables CISOs to identify gaps in their existing controls and processes and gain the visibility needed to manage risks effectively.

CVE is Failing

The reliance on the Common Vulnerabilities and Exposures (CVE) system as the backbone of cybersecurity risk management is increasingly problematic, particularly in the context of software supply chains.

The pace at which new vulnerabilities (including zero-days) are identified and the system's capacity to catalog them continues to lag
CVE system's coverage is not exhaustive, missing threats in custom, proprietary, or less widely used software components along with threat categories beyond vulnerabilities like malware, tampering, exposed secrets, proper hardening, and malicious behaviors.
CVE descriptions also tend to lack the depth and specific context needed for organizations to assess the real-world impact on their unique environments.
Furthermore, the CVE system is inherently reactive, focusing on vulnerabilities after they have been discovered.

SAFE goes beyond just identifying known vulnerabilities to identify malware, tampering, exposed secrets, malicious behaviors, and proper hardening techniques. These findings are then mapped to specific components within a comprehensive SBOM, further enabling businesses to validate the integrity of the components used in their software.

Surface-Level Risk Assessments

Third-party risk professionals have relied on a suite of highly manual, often cumbersome solutions to evaluate vendor software risk. These solutions do not adequately identify the risk and threats in third-party software, and simply are not built to scale with the size and complexity of modern commercial software.

Vendor security questionnaires rely on good faith in the vendor to properly disclose the full extent of their security testing regimen
Pentesting is hyper-focused in scope, omitting a large portion of the codebase, and the fees associated with scoping and managing penetration tests are untenable at a larger scale.
Security rating services are often irrelevant in assessing the security posture of the software package itself as they rely on passive scans of the vendor’s externally-facing infrastructure.
Sandboxes are resource intensive, and can be easily evaded using malicious techniques such as time-based payload execution delay methods like those used within the SolarWinds software supply chain attack.
SBOMs, while a fundamental first step, is ultimately just a list of ingredients, providing no insight into more advanced software threats.

The SAFE report introduces a greater visibility into commercial software risks and threats, enabling transparency and collaboration between enterprise software buyers and their vendor partners. It provides details into risk categories that are overlooked by SBOMs and traditional third-party cyber risk methods by cataloging every first-, second-, and third-party component and providing actionable feedback if those components contain hidden threats like malware, tampering, suspicious behaviors, or others.

SAFE Use Cases:

The SAFE report can be adopted by AppSec and Development teams for organizations that build software, as well cyber risk professionals like TPRM, TPCRM, GRC, IT, and Procurement within enterprises that purchase commercial software software:

Software Producers (CISOs, AppSec, Security Engineers, and Product Security)

Simplifies the decision-making process for software procurement by providing a clear, standardized benchmark for security.
Minimizes the need for extensive and costly security assessments and audits.
Reduces liability for organizations by meeting regulatory compliance requirements more effectively.
Provides the most comprehensive SBOM and risk assessment of the entire application to identify malware, tampering, suspicious behaviors and more.

Enterprise Buyers (GRC, TPRM, TPCRM, AppSec, IT Ops, and Procurement)

Enhances market competitiveness by proving to prospective customers that your business tests for a broader scope of software threats
Preemptively mitigate risks associated with software risks and threats, reducing the likelihood of security breaches.
Provides the most comprehensive SBOM and risk assessment of the entire application to identify malware, tampering, suspicious behaviors and more across the entire software binary (proprietary, commercial, open-source, and all build components).

Components of the SAFE report

The SAFE Assessment: Go beyond the SBOM by identifying embedded malware, tampering, vulnerabilities, exposed secrets, suspicious behaviors, and proper application hardening.
Comprehensive SBOM: Catalog proprietary, open source, and commercial components and export to accepted CycloneDX and SPDX formats
SAFE Levels: Benchmark your software risk level with predefined security policies and rules and assess the risk that a software package may pose to your business
Shareable SAFE Reports: Enabling collaboration and transparency with third-parties by allowing businesses to share their SAFE report directly with vendors and regulators. The SAFE report shareable link is:
- Secure
- Password-protected
- Time-gated
- Revocable
Version Differential Analysis: Monitor new threats and risks introduced with new software versions or patches and track the progress of any risks and threats that have been remediated since the last version.

For more details on data and insights contained within the SAFE report, download our white paper.

Business Benefits of SAFE

Release with Confidence

The SAFE report provides enterprise software producers with early and actionable feedback on damaging software supply chain risks like malware, tampering, and exposed secrets without while encumbering speed-to-market.

Buy with Confidence

The SAFE report provides organizations with greater confidence in the security and reliability of the software they choose, streamlining the approval and acquisition process, and reducing spend on cumbersome and ineffective tools and processes.

Maintain with Confidence

With each commit, patch, release, and deployment, the SAFE report brings visibility to risks and threats within the software that runs your business, while demonstrating compliance in a complicated regulatory climate.

Learn More:

For further insights into the Spectra Assure SAFE Report, explore the following resources: