Why holistic software supply chain security requires binary analysis

In this episode of ReversingGlass, Matt Rose compares comprehensive software supply chain security to Russian Matryoshka dolls to showcase the several layers within software that need to be tested for malicious and vulnerable components.  

Learn More

• Glossary: What is Binary Analysis?
• Blog: Developers behaving badly: Why holistic AppSec is key
• Blog: The Power of Complex Binary Analysis
• Webinar: Static Analysis vs Static Binary Analysis

Episode Transcript

MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs and your host for these sessions, but you probably already figured that out. So today's episode, we're going to talk about binary analysis for SSCS. I've had a lot of conversations and questions around binary analysis for software supply chain, not really following how is that a benefit? We're going to start off with kind of a silly analogy here. So how many people are familiar, and I'm a terrible artist, with the Russian Matryoshka dolls, the stacking dolls that fit inside each other. So we have number one doll and then number two doll fits in, and this one's sad.

And then number three doll that's boring. And then number four doll, which is upset. They look like, I don't know the munchkins or something like that from - remember the old grimace or the munchkins from McDonald's. But this is the concept. There's a doll inside a doll.

And what this equals is, from concept, your software package. That thing that you're trying to develop. Either you're outsourcing or you're developing in house. The way in software to break apart the Matryoshka dolls like you would as a kid taking things apart, is to use binary analysis to take this package and break it up into a bunch of little packages.

So thinking about this, there are things in there, a software package is this compiled thing that you deploy to your cloud, your data center, your container, whatever that is. But binary analysis in itself is basically like taking a sledgehammer to the package and breaking it up into those parts. That way you can actually break down and see the source code, the open source packages, any dependencies, everything that you're deploying is in there.

So a lot of times people talk to me about software composition analysis and other AST tools. Those are looking at one of the dolls, one of the pieces inside the bigger doll, or the top doll, if you will. It's basically providing you a risk of lens of one thing, in one, two, three, or four, but it's not providing you all of it at one time.

From a supply chain risk, you have to understand the culmination of all your work. What have you been doing? Many developers are outsourced, or open source projects are all going in to create this and then deploy it. But supply chain risk is, okay, what is in there? Has it been compromised? Has it been tampered with?

Are there secrets that are potentially compromised? Has something been inserted at the code repo or at the build level? These are all common things you have to think about, and the only way you're getting that complete risk lens of software supply chain is through binary analysis. Yes, those other solutions like SCA and SAST and DAST and all the other ones that are scanning different parts or different states of an application or a piece of software are important because there are specific lenses of risk it's looking for, like OWASP Top 10 issues, SQL injection, cross site scripting, API abuse, those type of things. The only way to find the, as I've said before, the how malware, or how supply chain attacks are actually executed, and what is the supply chain itself, which is malware, that is through binary analysis. And the best way to do that is take that proverbial sledgehammer to your package and break it into a million pieces so you can see everything that's in there.

I'm Matt Rose. Hopefully that was interesting. Have a great day everybody. And thanks for watching.