<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


Software supply chain risk demands our attention

Paul Roberts
Blog Author

Paul Roberts, Content Lead at ReversingLabs.

software-supply-chain-riskSoftware supply chain attacks are a top concern. But tools for monitoring and stopping them lags. Meet ReversingLabs' new platform: secure.software. 

The attention of the information security world will shift to San Francisco next week, when the annual RSA Conference brings some of the world’s top cybersecurity experts to the City by the Bay after a two year, pandemic-induced pause. 

A lot has happened in the two years since the onset of the pandemic. In the realm of cyber risk, software supply chain attacks and incidents of software tampering have grown in both prominence and sophistication, with incidents like the SolarWinds and CodeCov attacks making headlines. Despite that, most would-be targets of those attacks - software publishers and their customers - are ill prepared to counter these attacks or the broader risks that lurk in vulnerable CI/CD ecosystems. 

That’s why this year, threats to- and attacks on software supply chains are at the top of the agenda at the show, with more than 40 talks focused on software integrity and supply chain security. And that’s why ReversingLabs will use RSA to unveil the findings of a survey we commissioned on supply chain risk (download), and to give the world an early look at secure.software, a new service we are launching that provides software supply chain security protection for CI/CD workflows, containers, and release packages.

[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]

Software supply chain attacks: Defenses lag

This growing focus on supply chain threats is warranted. A survey commissioned by ReversingLabs (download the infographic) asked executives, technology, and security professionals at software enterprises about supply chain attacks and the risk posed by software tampering. Despite being keenly aware of the dangers of publishing vulnerable software, these IT pros told us that their companies remain at risk. 

For example, nearly every respondent to our survey (98 percent) acknowledged that third party software use including open-source software increases security risks. However, the gap between awareness and response is wide. When asked, 87 percent of security and technology professionals agreed that software tampering is a new vector with breach opportunities for bad actors, but only 37 percent said they have a way to detect it across their supply chain. Of those that can detect software tampering, just seven percent do it at each phase of the software development lifecycle. Barely 1 in 3 actually check for tampering once an application is final and deployed. 

Flying blind: Read the report

ReversingLabs full report, Flying Blind: Software Firms Struggle To Detect Supply Chain Hacks, covering the survey results, is available immediately. To learn more about the findings access the overview and infographic.

And, if you’re attending RSA and want to learn more about what we found, you should check out our own Jasmine Noel’s RSA presentation: ​​Software Supply Chain Security is no game, or is it?, next Tuesday, June 7. 

The bigger question for enterprises, as well as software publishers, is ‘what to do’ about the growing threat of attacks on software supply chains and CI/CD ecosystems. Despite recent high profile supply chain attacks like SolarWinds, most firms are still working out how to respond to such threats. 

“Respondents recognize that tooling and automation is necessary for the detection of tampering at all phases of the software development process. Still, they struggle to advance it in practice,” notes ReversingLabs CEO Mario Vuksan. “As new solutions become available that provide insight into developed code and that can detect tampering before public distribution, organizations can take steps to properly manage their software supply chain risk, and ensure that their code isn’t a victim of tampering by sophisticated cyber actors,” said Vuksan.  

An early look at Reversing Labs secure.software platform

With its deep experience in malware analysis and file-based attacks, ReversingLabs is turning its attention to helping development teams improve the security of software releases and providing security operations teams with a view of supply chain risks and software tampering that can be critical to incident response and threat hunting processes. 

In 2021, ReversingLabs launched its Managed Software Assurance Service to protect the software development and release process from sophisticated software supply chain attacks. The service provides threat research-led analysis and security interpretation of software package security quality, audit tracking, and remediation. 

Now ReversingLabs is incorporating this service in a soon-to-be-released solution: secure.software. ReversingLabs secure.software provides software supply chain security protection for CI/CD workflows, containers, and release packages. It is the only integrated platform that detects high-risk threats, malware, backdoors, exposed secrets, and software tampering across the software development cycle. 

We’re now offering early access to the all new ReversingLabs secure.software portal. Early access will provide access to all assessment results with the ability to export reports and exclusive "Early Access Program AMA Virtual Sessions" with ReversingLabs secure software experts, and invitations to Roadmap Review Events - where Early Access Program customers can review new features and discuss feature requests.

We will demonstrate these capabilities next week at RSA. To learn more visit ReversingLabs at Booth #4429, or sign up for early access to ReversingLabs secure.software at https://secure.software.

Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports