Using CodeSonar for Software Supply Chain Risk Management

August 9, 2017 Mark Hermeling

 

AdobeStock_99180765_v2_small-1.jpg

The software supply chain is a growing concern in software development. Security, in particular, of third party software is a risk that needs to be evaluated and managed. Binary code such as object files, libraries and executables are particularly difficult to evaluate since source may not be available.

Static analysis has been applied to software under development for decades. It is a tried and proven technique to highlight defects like buffer overruns [CWE-120/CWE-121/CWE-122 and such] and null pointer dereferences [CWE-476] in source code. These type of warnings can lead to exportable security vulnerability in software projects. The state of technology is now to the level that static analysis can be applied to binaries (executables and libraries). Static analysis of binaries is one of the tools that companies in any vertical can use to measure the outstanding risk in their software supply chain and to manage relationships with their 3rd party software providers.

MITRE investigated binary analysis and confirmed that performing static analysis on 3rd party binaries provides valuable feedback on outstanding security risk in safety or security critical software projects.

The following video illustrates how GrammaTech CodeSonar's unique binary analysis capability can be used to manage security risk:

 
 

Like what you watched? Download our white paper "Eliminating Vulnerabilities in Third-Party Code with Binary Analysis" to learn more.

Read the Guide

 

Previous Article
Thwarting Insider Attacks with Advanced Static Analysis
Thwarting Insider Attacks with Advanced Static Analysis

INTRODUCTION: The security threat posed by insiders is often underestimated. According to an I...

Next Article
Software Supply Chain: Risk and Reward
Software Supply Chain: Risk and Reward

INTRODUCTION: The recent interest in the so called “software supply chain” highlights the grow...