While product name, version number, publisher, and license are the basic elements of a software bill of materials (SBOM), you need to be able to go deeper—to the file level. There, you can gain actionable information into all your software files and protect your applications from cyberthreats. Let’s start exploring.
Thousands of files make up the complex supply chain of open-source and commercial third-party packages you use to build software applications. How can you trust that they don’t contain vulnerabilities, malware, ineffective mitigations, or indicators of supply chain compromise that put your applications— and your business—at risk?
A List Is Just a List
SBOM created from software composition analysis (SCA) tools gives you a high-level snapshot of the components embedded in your software package. Each one of these components is made up of hundreds or thousands of individual files.
The product name
1
7-Zip DLL pip Tk 8 libcrypto
The challenge for the developer is that threats and software issues exhibit themselves on a file level, not on a product or publisher level.
Without performing the file-level analysis on each SBOM component you can’t see, or remediate, problems before deploying an application—and that’s a risk you don’t want to take.
Examples:
15.14 9.0.1 8.5.15 Generic
The product version
2
Igor Pavlov ActiveState Corporation Microsoft Google
The publisher
3
LGPL MIT BSD Apache
Licensing
4
Four pieces of information about each component comprise the heart of the typical software bill of materials:
What If You Could Get Insights Into Every Component?
A complete report gives you all the information of an SBOM, plus individual file analysis. You get the actionable information you need to remediate problems and build secure applications. Explore the wealth of information you’ll be able to monitor and act on. Go through the entire journey, or click on the specific areas of interest:
2. Verified Components
1. Quality Grade
3. Risks/issues Tracking
4. Unexpected Behaviors
Start with the big picture
A list of what’s in your package is nice, but wouldn’t it be better to have information that you can do something with?
QUALITY GRADE
Verified components
RISKS/ISSUES TRACKING
UNEXPECTED BEHAVIORS
With the ReversingLabs Report, your starting point is the Software Quality Grade, which tells you the overall quality of your installation package. You’ll know, at a glance, if you can move forward with minimal or no additional steps, or if you need to pause and remediate major issues.
Once you have an idea of overall quality, you can start digging deeper to identify what the problems are, where they lie, how serious they are, and how to fix them.
As you scroll down your dashboard, you’ll see a grade for each component within your software package as well. Now you can really start to get visibility.
Drilling down: Your components have components
Package components consist of other components, and those components can be vulnerable too. Most SBOMs stop at the library level, arguing that you only need to know the vulnerabilities at that level.
If we don’t know the version, ReversingLabs can still map the vulnerabilities to the dependencies with our static code analysis.
We even uncover silent vulnerabilities hidden within statically linked package dependencies that other tools struggle to find.
Our static analysis and recursive file unpacking goes deeper into these component dependencies. When you click into a component in the report, you can see static, dynamic, and package dependencies and the number of vulnerabilities within each.
When you can map a vulnerability to dependences you can take action by remediating the software or implementing security controls to mitigate the issue.
Drill into each component to understand dependencies and their known vulnerabilities.
The report will identify which components have been “Verified” by ReversingLabs against a file reputation or trusted source repository. You can trust that:
Contains no malware — which could indicate a supply chain attack
No package tampering found
Their identity is exactly what you see in the report
It is what it claims to be
Tk8
=
pip
Verification checks components against reliable, secured file repositories to show which publisher and product data is accurate.
Easier remediation prioritization
The report makes it easy to identify which issues to tackle first. Organized by issue type and severity, you can see which issues are causing security policy failures – whether it’s the presence of active threats within the software, issues with digital signatures, components missing proper security mitigations, or data protection issues.
Attackers work hard to hide their malicious changes in plain sight -- making their code changes look like they belong within your code base. Looking for unexpected behaviors within complex release packages becomes your best line of defense against these supply chain attacks.
Hold on, this shouldn’t be here!
List of software behaviors
Uncover tampering by analyzing software behaviors
Start Releasing Securely
However, third-party components and libraries can be as inscrutable as black boxes for many application analysis tools. Without access to the source code or special debug builds, their results are often not detailed enough to be useful.
We give you a detailed look into the software behaviors of each component straight from the release image, by applying our malware behavior analysis experience and proprietary techniques. Our human readable descriptions of your software’s intent makes it easier, and faster, for you to identify unexpected or untrustworthy software behaviors.
The beauty of the ReversingLabs’ report is that since everything in your package is analyzed, you can drill down on each component and see where issues are at the file level. You can laser target issues so that your team focuses on the most important improvements to keep your software secure. Are you ready to explore beyond the SBOM?
Visit ReversingLabs today
ReversingLabs Software Assurance Solution Brief
Get Started
Back to THE BEGINNING