ESF calls for software package final exams: Why binary analysis matters

January 4, 2024

In this episode of ReversingGlass, Matt digs into Section 4.3.2 of the Enduring Security Framework working group's latest supply chain security guidance to highlight key recommendations for complex binary analysis and reproducible builds.

Learn More

- Blog: ESF calls for binary analysis
- Webinar: Static Analysis vs Static Binary Analysis
- Blog: The Power of Complex Binary Analysis

Episode Transcript

MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. As usual, I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is all about the ESF December 2023 release. And if you don't know what ESF stands for, it is the Enduring Security Framework. It's an interesting article. Um, and I'm not going to brag, but I think I can predict the future.

I'm not as good as everybody's favorite family of, uh, Homer, Bart and Marge of the Simpsons of predicting the future. They seem to hit all these things all the time. I get it once in a while. I'm not as good as them. And, you know, I like to say even a broken clock is right twice a day. But let's dig into this.

The ESF December 2023 is all about securing the software supply chain - recommended practices for managing open source software and software bill of materials. This is a great document, very comprehensive. Long read, but I wanted to provide a little insight into an area that I found actually pretty interesting,

was around how you actually look for these things. How do you actually instantiate a software supply chain program? And there's a very interesting quote. If you guys have seen some of my other videos, I always talk about binary analysis, and we'll just make that nice and big because I've highlighted a section here.

In section 4. 3. 2, Secure Software Update Delivery, the document actually says, "Before shipping the software package to customers, the developers or supplier should perform binary composition analysis to verify the components of the package and in addition to that, reproducible build validation when possible."

Let's talk about these things. And we will basically make this just a little bit smaller so everybody can see my ugly face. So the big thing here to think about is what the ESF is saying, which is what I've been saying for a while now, is you need a final exam of whatever you're creating, your image, your package, your artifact, whatever that is.

And the binary analysis of taking the compiled object, blowing it back apart, tells you everything about it, inclusive of an SBOM. This lens here is more around open source components, uh, and that's what this, uh, document is really about, but let's think bigger than that. The final exam of the package, the artifact, the image is the final exam.

So you can actually trust your software. Uh, reproducible build is yet another step. It's like the sprinkles on top of the hot fudge sundae. Yes, doing binary analysis of a compiled package, but having a, um, tangential, uh, build environment that you basically can compare and contrast to make sure everything's working, is going the next step.

Most bleeding edge organizations, or a lot of bleeding edge organizations, are looking at the concept of reproducible builds. So, if the ESF says it has to be true, just like if it's on the internet it has to be true, then it is highly, highly recommended. And that final exam associated with binary analysis is the way to do it.

If you don't believe me, read this document and specifically focus on section 4.3.2, uh, Secure Software Update Delivery, which will give you a lot more color. So if you're concerned about software supply chain security, think of binary analysis of the package itself. I'm Matt Rose.

Hopefully you enjoyed this brief episode. Have a great day, everybody.

Matt Rose

About Author: Matt Rose

Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.

Related episodes

Artificial Intelligence (AI)/Machine Learning (ML)

ReversingGlass: EO on AI: What security teams need to know

Artificial Intelligence (AI)/Machine Learning (ML)

AI and Application Security: Proceed with Caution

ReversingGlass

What is ReversingGlass?

Subscribe

Sign up now to receive the latest weekly
news from ReversingLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response. 

REQUEST A DEMO