It’s with tremendous excitement that I’m able to speak to our customers, partners and employees about the recent investment in ReversingLabs led by Crosspoint Capital Partners.
As the world has witnessed, the rise in supply chain attack sophistication has gone to another level over the last 12 months. Over this time, these attacks have taken advantage of an expanded attack surface area which has left developers and their customers extremely vulnerable.
As Gartner states, “By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021”. The consequences are that “...software engineering teams must assume that all code (both externally sourced and internally developed), development environments and tooling may have been compromised. In addition, security hygiene should now extend to external code dependencies and commercial off the-shelf (COTS) software…”
ReversingLabs has been at the forefront of detecting and analyzing threats and tampering activity in software. Whether it was Shadowhammer in 2019, SunBurst in 2020, or the recent NPM Chrome password threat in 2021, ReversingLabs has made major contributions in educating the broader cybersecurity community by detecting and analyzing how supply chain threats have evolved and how these attackers have begun to take advantage of the security gaps in the application security tool chain.
You will have seen in our press release perspectives from Sudhakar Ramakrishna, President and CEO of SolarWinds and Dr. Zangardi, former CIO of the United States Department of Homeland Security and acting Department of Defense CIO. They express a joint view that the software supply chain threat is real and the need for solutions is acute:
“As an element of our Secure By Design initiatives, we’ve applied maximum attention to protecting the integrity of our software development and deployment pipeline from even the most determined and sophisticated attackers,” said Sudhakar Ramakrishna, President and CEO of SolarWinds. “We are working to help establish new standards for secure software development in the industry and ReversingLabs has since become an important part of our overall efforts.”
The impact and prevalence of software supply chain attacks has elevated this issue to the highest levels of business and government. On May 12, 2021, President Biden introduced an Executive Order on Improving the Nation’s Cybersecurity that specifically addresses software supply chain risk. This order covers mechanisms to assess the integrity of the software supply chain, including analysis of Software Bills of Materials (SBOM).
“We cannot afford to simply assume that the packaged software we bring into government agencies and enterprises is secure,” said Dr. John Zangardi, former CIO of the United States Department of Homeland Security and acting Department of Defense CIO. “Tools like the ones made by ReversingLabs will be a critical part of managing software assurance and assessing the security, integrity and composition of the software supply chain.”
Software security is not new. Companies have become very familiar with Static Application Security Testing (“SAST”) and Software Composition Analysis (“SCA”) toolsets which have evolved and improved for many years now. But the sophistication of these new threats is in areas that are outside of the scope of SAST and SCA, which were primarily designed to identify mistakes in software development that introduced vulnerabilities through the source code. They were not designed to identify or prevent intentful malicious tampering. Companies have an urgent need to fill these gaps.
While it is still important to assess source code for quality, vulnerabilities and compliance, the modern application development process introduces many unknowns during the build process and subsequent application deployment. Specifically, there is a lack of transparency and control when attempting to assess compiled third party and open-source components. These components may be built from code and finished modules from other contributors, statically compiled and thus outside of the purview of classic software security tools.
Nobody can unpack and understand the security depths of a compiled software binary like we can at ReversingLabs. Its components. Its quality issues. Its surface risk area. Its code signing infrastructure. Its potentially unwanted behaviors. And accidentally introduced secrets. A final verification is necessary to allow developers, software owners, and IT managers to trust that their software is safe. And we’re partnering with some of the largest software development shops to assist them with the software assurance services we’re delivering at secure.software.
Crosspoint Capital, with their years of security and operational expertise will be a great partner for us as we scale our company to meet this surging demand.
Together with Crosspoint we’re looking forward to our next step in the ReversingLabs journey. With further investment in our people, technology, and supply chain security solutions, we'll be in a position to arm all organizations with the weapons to win in this battle that’s just starting to take shape across the software supply chain.
Source: Gartner’s, “How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks”, 15 July 2021
- See Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your AppSec
- See special report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Special report: C-SCRM and federal supply chain security guidance