Webinar–Is Your Software Security Supply Chain a Security Blind Spot?

© 2019 Synopsys, Inc.1
Is Your Software Supply Chain a Security Blind
Spot?
Lisa Bryngelson Sr. Product Manager - Black Duck Binary Analysis
July 25, 2019

Agenda
How is scanning binaries for open source different than source code?
Key Use Cases
How to make your company more secure?

Let’s make sure we are all on the same page …
• Binary file refers to a non-text file containing bytes interpreted as something
other text characters.
• Examples: Compiled computer programs like .exe, ISO, rpm. Linux distributions,
Docker containers, jars, .class, dlls, firmware

Differences between identifying open source in
source code vs. binaries

Should I really be concerned about binaries if I scan source?
In Gartner’s Latest Survey, Cybersecurity Risk (Again) Comes Out as the No. 1 Concern
for Supply Chain Leaders *
“In Gartner’s recent “Future of Supply Chain” survey of 270 supply chain leaders, we asked
respondents to identify their top concerns regarding a series of risks within their supply and
demand chains in 2018 and 2019 …
The results are loud and clear and consistent with data we have been seeing for several years
now (see “Combat Digital Security Threats to the Supply Chain”). Cybersecurity attacks rank
well above all other risks, whether they are regulatory, operational or financial.”
* Gartner report “Get Ahead of the Expanding Risk Frontier: Supply Chain Security” May 20, 2019

Identifying open source in source code vs. binaries
• You care about managing open source in your applications.
• You should care about the open source in binaries as well as the source.
• You may still be responsible for any risks that may be found with the binaries if you are
shipping them.
• Know your company’s risk tolerance.
Since you don’t have access to the source there are a couple of options:
• Trust what the supplier tells you what’s in the binary
• Scan the binary using a tool that has the ability to interrogate the binary
Recommendation:
• Trust but verify

What are the key use cases for binaries

What are the key use cases for binaries
• Supply Chain
Customer’s suppliers, their suppliers, their suppliers, etc. deliver product as or including binary to
be included in customer’s products
• Development
“Drag in” source code in the form of libraries, dll’s, etc.
• Procurement
Packaged software purchased from vendors for internal use
• Vertical Isolation
Business units only share binaries between other business units like classified environments
Where do binaries come from?
8

Developed In-house
Another piece is the supply chain puzzle: binaries
How binaries get into the product?
Third-party
commercial
software
Open Source
Components
Often delivered as
binary and difficult to
crack open to
understand contents
Custom
Code
Source
Binary

How to make your Company more secure?

End-to-end control of open source risks
DETECT
Inventory and track
all open source
components
in your code
MANAGE
Set, verify, and enforce
open source security
and use policies
across supply chain
MONITOR
Actively monitor and
fix new vulnerabilities
that impact
deployed software
PROTECT
Identify and remediate
known open source
vulnerabilities
and license issues
before you ship
INTEGRATE and AUTOMATE with your DevOps tools and processes

When to scan for binaries?
Where do the binaries come into your SDLC?
Do you have access to the source for the binary?
What is your companies risk tolerance?
– Impacts how often you scan
– Impacts to what level you identify components
– Require OSS approvals

When to Scan during the SDLC?
Development Build Test Deploy ProductionOSS
Approval

Things to think about when you look at binary analysis
tools
• What type of binaries are you scanning?
• Structured/unmodified
• Unstructured/modified (custom binaries)
• Language and artifact support
• What scanning techniques are used?
• Most tools will be really just looking at archives etc. in the manifest
• You want a tool that can really crack open the binaries to discover the composition inside
• Signature and string matching
• What kind of metadata is available for the binary matches?
• Security vulnerability info (NVD, Linux backpatching, remediation help)
• License information
• Other types of data available (hashes, timestamps, paths, string searches, permissions)

Black Duck Binary Analysis

• Black Duck Binary Analysis is an automated software composition analysis tool that enables
organizations to audit open source software for security vulnerabilities and compliance in third-
party code.
• Focus is scanning binaries
• Pulls security vulnerability from NVD
• Surfaces backpatch information for Linux distros
• 200,000 components in Knowledgebase
• Security vulnerability data updated 4 time per day for Cloud
• Matching is based on hash matching combined with string searches algorithm. No reverse
engineering or de-compilation is used.
Find open source security, compliance, and quality risks in executables and libraries

Find open source security, compliance, and quality risks in executables and libraries
• Detect
Analyze firmware, mobile apps and virtual
appliances without access to source.
• Protect
Identify embedded open source usage
and risks within binary executables and
libraries.
• Manage
Combat code decay and improve software
quality within binary dependencies.
• Monitor
Proactive alters for new vulnerabilities in
previously scanned binaries

Black Duck Binary Scanner – supported file formats
• Compression Formats:
– gzip (.gz)
– bzip2 (.bz2)
– lzma (.lz)
– lz4 (.lz4)
– compress (.Z)
– xz (.xz)
– pack200 (.jar)
• Archive formats:
– Zip (.zip, .jar, .apk and derivates)
– Xar (.xar)
– 7zip (.7z)
– ARJ (.arj)
– Tar (.tar)
– VM Tar (.tar)
– cpio (.cpio)
– RAR (.rar)
– LZH (.lzh)
– Electron archive (.asar)
• Firmware formats:
– Intel HEX
– SREC
– uBoot
– Arris firmware
– Juniper firmwares
– Kosmosx firmwares
– Android Sparse Filesystem
– Cisco firmwares
• Other:
– Various other formats which are effectively tarballs, zips
or other archives, like other Linux package formats,
containers (e.g. Docker)
– Unrecognized data blobs are scavenged for common
filesystems, archives and executables
Installation formats:
• Redhat RPM (.rpm)
• Debian package (.deb)
• Mac installers (.dmg, .pkg)
• Unix Shell file installers (.sh, .bin)
• Windows installers (.exe, .msi, .cab)
Filesystems / Disk images:
• ISO 9660 / UDF (.iso)
• Windows imaging
• ext2/3/4
• JFFS2
• UBIFS
• RomFS
• Microsoft Disk Image
• Macintosh HFS
• VMWare VMDK (.vmdk, .ova)
• QEMU copy-on-write (.qcow2)
• Virtualbox VDI (.vdi)
• QNX - EFS, IFS
• Netboot images (.nbi)
…

Black Duck Binary Analysis Metadata
• Security relevant file information
– NVE CVE data and Linux backpatch information
– Missing exploit mitigation features in compiled files, e.g. stack protector, ASLR
– Required permission for Android/iOS apps

• Docker Image Layers • Historical graph of security vuln data for
component

• Information Leakage:
– Surfaces Info Leakage data from any file
touched during the scan
– Forgotten developer credentials in
unsuspected places
– AWS Keys
– URLs
– Passwords
– IP Addresses, MAC Address
– Image metadata (location info)
– Shell history

Key Take Aways

Key Takeaways
• Supply Chain leaders consider Cybersecurity Risk a number one priority
• Trust but verify
• Understand your company’s risk tolerance level
• Secure through - Detect, Protect, Manage, Monitor
• Black Duck Binary Analysis is the best !

Build secure, high-quality software faster

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?

More Related Content

What's hot

Similar to Webinar–Is Your Software Security Supply Chain a Security Blind Spot?

More from Synopsys Software Integrity Group

Recently uploaded

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?