Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialBuilding an exemplary, leading program devoted to securing a complex, modern software supply chain was the critical objective for SolarWinds after the Sunburst incident. While SolarWinds continued to leverage legacy application security testing tools, they embarked on a mission to identify new tools that could provide novel and deeper insights that identify risks and threats.
That's when SolarWinds added Spectra Assure™ to its development and deployment pipeline. Spectra Assure provides “a final check,” CISO Tim Brown said. “ReversingLabs always plays that important final check to say, ‘Is anything else in here that is suspect?’ that could include unexplained changes to the build process, or unexpected additions to the software. By comparing new builds with previous, known good builds, SolarWinds can “make sure nothing nefarious got into a release,” Brown said.
Malware, tampering, suspicious behavior changes, and more can be identified within proprietary, commercial, and open-source components, plus artifacts added during compilation. In addition, Spectra Assure determines if software components or artifacts behave as expected – flagging anomalies, unusual patterns, or changes in behaviors, which is critical for seeing and stopping novel supply chain attacks before release.
Automated prioritization helps product and security teams organize remediation projects for development teams, which is critical for balancing security improvements with delivery timelines.
Tim Brown, CISO, SolarWindsReversingLabs always plays that important final check to say, ‘Is anything else in here that is suspect?’
SBOMs That Drive Transparency and Business
SolarWinds sees an increasing number of requests for software bills of materials (SBOMs) before purchase. This marks a critical milestone for enterprise procurement where vendor transparency is implemented as a best practice. These prospective customers need software inventory information to manage third-party risk effectively.
“ReversingLabs is what we use to generate that SBOM,” Brown said. “Our customers are requesting them. Our customers need them. The ability to produce SBOMs helps us close our deals.”
Spectra Assure generates a comprehensive SBOM by analyzing the entire software release that customers will receive, including proprietary, commercial, and open-source components. Assessing software in its final executable state creates a more comprehensive software inventory than tools focused solely on open-source components or that rely solely on build manifests that specify the expected software contents rather than the actual contents. SBOMs are exported in the CycloneDX or Software Package Data Exchange (SPDX) formats, both industry standards, to respond to customer requests.
