ESF calls for software package final exams: Why binary analysis matters
In this episode of ReversingGlass, Matt digs into Section 4.3.2 of the Enduring Security Framework working group's latest supply chain security guidance to highlight key recommendations for complex binary analysis and reproducible builds.
MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. As usual, I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is all about the ESF December 2023 release. And if you don't know what ESF stands for, it is the Enduring Security Framework. It's an interesting article. Um, and I'm not going to brag, but I think I can predict the future.
I'm not as good as everybody's favorite family of, uh, Homer, Bart and Marge of the Simpsons of predicting the future. They seem to hit all these things all the time. I get it once in a while. I'm not as good as them. And, you know, I like to say even a broken clock is right twice a day. But let's dig into this.
The ESF December 2023 is all about securing the software supply chain - recommended practices for managing open source software and software bill of materials. This is a great document, very comprehensive. Long read, but I wanted to provide a little insight into an area that I found actually pretty interesting,
was around how you actually look for these things. How do you actually instantiate a software supply chain program? And there's a very interesting quote. If you guys have seen some of my other videos, I always talk about binary analysis, and we'll just make that nice and big because I've highlighted a section here.
In section 4. 3. 2, Secure Software Update Delivery, the document actually says, "Before shipping the software package to customers, the developers or supplier should perform binary composition analysis to verify the components of the package and in addition to that, reproducible build validation when possible."
Let's talk about these things. And we will basically make this just a little bit smaller so everybody can see my ugly face. So the big thing here to think about is what the ESF is saying, which is what I've been saying for a while now, is you need a final exam of whatever you're creating, your image, your package, your artifact, whatever that is.
And the binary analysis of taking the compiled object, blowing it back apart, tells you everything about it, inclusive of an SBOM. This lens here is more around open source components, uh, and that's what this, uh, document is really about, but let's think bigger than that. The final exam of the package, the artifact, the image is the final exam.
So you can actually trust your software. Uh, reproducible build is yet another step. It's like the sprinkles on top of the hot fudge sundae. Yes, doing binary analysis of a compiled package, but having a, um, tangential, uh, build environment that you basically can compare and contrast to make sure everything's working, is going the next step.
Most bleeding edge organizations, or a lot of bleeding edge organizations, are looking at the concept of reproducible builds. So, if the ESF says it has to be true, just like if it's on the internet it has to be true, then it is highly, highly recommended. And that final exam associated with binary analysis is the way to do it.
If you don't believe me, read this document and specifically focus on section 4.3.2, uh, Secure Software Update Delivery, which will give you a lot more color. So if you're concerned about software supply chain security, think of binary analysis of the package itself. I'm Matt Rose.
Hopefully you enjoyed this brief episode. Have a great day, everybody.