Why holistic software supply chain security requires binary analysis

December 13, 2023

In this episode of ReversingGlass, Matt Rose compares comprehensive software supply chain security to Russian Matryoshka dolls to showcase the several layers within software that need to be tested for malicious and vulnerable components.  

Learn More

Episode Transcript

MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs and your host for these sessions, but you probably already figured that out. So today's episode, we're going to talk about binary analysis for SSCS. I've had a lot of conversations and questions around binary analysis for software supply chain, not really following how is that a benefit? We're going to start off with kind of a silly analogy here. So how many people are familiar, and I'm a terrible artist, with the Russian Matryoshka dolls, the stacking dolls that fit inside each other. So we have number one doll and then number two doll fits in, and this one's sad.

And then number three doll that's boring. And then number four doll, which is upset. They look like, I don't know the munchkins or something like that from - remember the old grimace or the munchkins from McDonald's. But this is the concept. There's a doll inside a doll.

And what this equals is, from concept, your software package. That thing that you're trying to develop. Either you're outsourcing or you're developing in house. The way in software to break apart the Matryoshka dolls like you would as a kid taking things apart, is to use binary analysis to take this package and break it up into a bunch of little packages.

So thinking about this, there are things in there, a software package is this compiled thing that you deploy to your cloud, your data center, your container, whatever that is. But binary analysis in itself is basically like taking a sledgehammer to the package and breaking it up into those parts. That way you can actually break down and see the source code, the open source packages, any dependencies, everything that you're deploying is in there.

So a lot of times people talk to me about software composition analysis and other AST tools. Those are looking at one of the dolls, one of the pieces inside the bigger doll, or the top doll, if you will. It's basically providing you a risk of lens of one thing, in one, two, three, or four, but it's not providing you all of it at one time.

From a supply chain risk, you have to understand the culmination of all your work. What have you been doing? Many developers are outsourced, or open source projects are all going in to create this and then deploy it. But supply chain risk is, okay, what is in there? Has it been compromised? Has it been tampered with?

Are there secrets that are potentially compromised? Has something been inserted at the code repo or at the build level? These are all common things you have to think about, and the only way you're getting that complete risk lens of software supply chain is through binary analysis. Yes, those other solutions like SCA and SAST and DAST and all the other ones that are scanning different parts or different states of an application or a piece of software are important because there are specific lenses of risk it's looking for, like OWASP Top 10 issues, SQL injection, cross site scripting, API abuse, those type of things. The only way to find the, as I've said before, the how malware, or how supply chain attacks are actually executed, and what is the supply chain itself, which is malware, that is through binary analysis. And the best way to do that is take that proverbial sledgehammer to your package and break it into a million pieces so you can see everything that's in there.

I'm Matt Rose. Hopefully that was interesting. Have a great day everybody. And thanks for watching.

Matt Rose

About Author: Matt Rose

Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.

Related episodes

Artificial Intelligence (AI)/Machine Learning (ML)

ReversingGlass: EO on AI: What security teams need to know

ReversingGlass

Shift Up Your SBOM

Artificial Intelligence (AI)/Machine Learning (ML)

AI and Application Security: Proceed with Caution

ReversingGlass

What the heck is an SBOM?

ReversingGlass

What is ReversingGlass?

Subscribe

Sign up now to receive the latest weekly
news from ReversingLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response. 

REQUEST A DEMO