Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialSo what happened was post-SolarWinds, we basically created a product for the AppSec professional for the product security office to help prevent vulnerabilities and software supply chain attacks like SolarWinds.
So now we have a product which is called Software Supply Chain Security, that basically helps integrate and automate supply chain scanning of the compiled package as part of that CI/CD pipeline or that final check released to production, if you will.
So think about ReversingLabs, having the capability to look at very large files, scan them in minutes post compilation, pre-deployment, defined software supply chain risk. Software supply chain risk that we're really focusing on at the company is about malware, which is a huge issue. A lot of the vendors that say they do software supply chain security these days are only looking at open source packages.
Are they compromised?
Are there vulnerabilities in them?
Do you need to upgrade?
Are there licensing issues?
We focus on those things as well in some way, shape and form, and I'll talk about it, but more on the malware that potentially is inserted. Secrets identification and prioritization: are the secrets potentially compromised, which are the real secrets you need to worry about. DIFFing of product releases:
So I have version 1.1 of my product. I do a bunch of changes. Now I have version 1.2. I add files, delete files, change files based on our inability to integrate into [00:04:00] that CI/CD pipeline, we can do a DIFF from version 1.1 to 1.2, what files were added, what files were deleted, what files were changed, so on and so forth.
We also have a big one, and this is one of the things that really shines for the company, is we identify behaviors of that application. Once we actually recursively rip apart through binary analysis, the package, and we recognize many different files, war files, jara files, DLLs, ISOs, MSIs, many different files, very complex files.
We can say, hey, this is what this application is programmatically doing. Does that fit or jive with the intentions of the product? Does that fit the threat model of the product? Because a lot of times, and this is a, an obvious thing, but I always like to throw it out there, malware, the first one we talk about here, is not malware.dll.
You just do a gripper of search in the product to say, hey, is there malware? Okay? No. Malware is very good at hiding itself, but it does change certain behaviors in the application to allow the malware to successfully execute itself.
So ReversingLabs is a company that really focuses on two areas, malware analysis and threat hunting for that SOC analyst and Software Supply Chain Security for product security officer, application security professionals to help prevent the next software supply chain attack like SolarWinds or more recently, CircleCI or even more recently, 3CX.
I'm Matt Rose. Hope you enjoyed this episode, not episode, but conversation about who is ReversingLabs, what we do.
We are the software supply chain company with the largest reputational database that's private of malware in the world.
Have a great day. Thanks for taking the time.

