ActiveState and RL: Unlocking Software Supply Chain Security

The modern software supply chain is a double-edged sword. On one hand, open-source components and rapid development methodologies accelerate innovation and time to market. On the other, they introduce a complex web of dependencies, increasing the attack surface and making it challenging to ensure the security of your applications. In this landscape, a robust Software Supply Chain Security (SSCS) strategy is no longer a luxury but a necessity.

Two key players are making significant strides in addressing these challenges: ReversingLabs Spectra Assure and ActiveState OSPM (ActiveState Platform for Open Source Posture Management). While each offers powerful capabilities independently, their integration creates a formidable defense, providing unparalleled visibility and control over your software artifacts.

Understanding the Pillars of Security

Let's briefly look at what each platform brings to the table:

• ReversingLabs Spectra Assure focuses on deep analysis of software binaries, builds, releases or VMs without requiring access to source code. It provides granular visibility into the composition of your software with binary analysis, and identifies known and unknown malware, tampering, and vulnerabilities with threat intelligence curated from billions of software scans. Think of it as a MRI machine for your builds, releases and artifacts revealing details about even the smallest, third party component.
• ActiveState ASPM (OSPM ) focuses on the secure management of open-source dependencies throughout the entire development lifecycle. It helps organizations build, manage, and secure their open-source language environments, ensuring consistency, provenance, and integrity of the components developers use. This platform helps prevent malicious or vulnerable components from ever entering the build process, providing a trusted source for open-source packages.

The Synergy: Where Visibility Meets Control

The true power emerges when ReversingLabs Spectra Assure and ActiveState OSPM work in concert. Imagine a scenario where:

1. Secure Component Sourcing (ActiveState ASPM OSPM): Your development teams rely on ActiveState ASPM to select and manage their open-source dependencies. OSPM ensures that these components are sourced from trusted repositories, are free from known vulnerabilities (as much as possible before deeper analysis), and have a clear audit trail. This establishes a "known good" baseline for your open-source usage.
2. Deep-Dive Verification (ReversingLabs Spectra Assure): Before your applications reach deployment, ReversingLabs Spectra Assure performs a comprehensive analysis of the compiled binaries, release  packages, or virtual machines. The assessment goes beyond simple manifest analysis to detect embedded threats across software components, libraries, scripts, and artifacts, including all of the open-source components managed by ActiveState ASPM. Spectra Assure’ rapid binary analysis enables you to ensure your customers remain safe by highlighting:

• Hidden Malware: Even if a component was initially deemed "safe," Spectra Assure can detect embedded malware or supply chain attacks that might have been introduced later in the build process or were previously unknown.
• Tampering: By comparing new builds with previous, known good builds,Spectra Assure can flag anomalies, unusual patterns, or changes in behaviors that are critical for identifying subtle attacks on your CI/CD.
• Software Bill of Materials (SBOM) Verification: The analysis generates a comprehensive  SBOM, providing an auditable record of every component within the final binary.  It also enables verification that ActiveState-managed open source has remained unchanged throughout build and packaging stages.
• Malware Exploited Vulnerabilities:  To aid remediation planning, Spectra Assure determines whether critical vulnerabilities are being exploited by malicious actors using proprietary threat intelligence that is continually curated from millions of files being analyzed every day. 

3. Automated Remediation and Policy Enforcement: The insights from Spectra Assure can then feedback into your development and release pipelines. If a malicious artifact or critical vulnerability recently weaponized with malware is detected, automated policies can trigger actions such as:

• Blocking the release of the affected software.
• Alerting security teams for immediate investigation.
• Providing actionable intelligence to developers to fix the issues, potentially leveraging ActiveState ASPM (OSPM) to update or replace problematic components.

The Benefits of Integration

This integrated approach delivers a multitude of benefits:

• Comprehensive Threat Detection: Uncover a wider range of threats, from known vulnerabilities to sophisticated supply chain attacks and embedded malware.
• Reduced Risk: Minimize the attack surface by ensuring the integrity and security of both your open-source dependencies and your final compiled software.
• Enhanced Compliance: Meet regulatory requirements and industry standards with accurate SBOMs and auditable security processes.
• Faster, Safer Releases: Accelerate your development cycles by automating security checks and providing rapid feedback to developers, reducing costly rework.
• Increased Confidence: Gain greater assurance in the security posture of your software, from development to deployment.

In the ever-evolving landscape of software supply chain threats, a multi-layered security strategy is paramount. The integration of ReversingLabs Spectra Assure and ActiveState ASPM provides a powerful combination of deep analysis and secure component management, enabling organizations to build, release, and operate software with unprecedented levels of confidence and security. By bringing together these two robust solutions, you're not just securing your software; you're future-proofing your entire software supply chain.

ActiveState Chief Revenue Officer Steve Ruggieri co-authored this blog post.