The software supply chain is a growing concern in software development. Security, in particular, of third party software is a risk that needs to be evaluated and managed. Binary code such as object files, libraries and executables are particularly difficult to evaluate since source may not be available.
Static analysis has been applied to software under development for decades. It is a tried and proven technique to highlight defects like buffer overruns [CWE-120/CWE-121/CWE-122 and such] and null pointer dereferences [CWE-476] in source code. These type of warnings can lead to exportable security vulnerability in software projects. The state of technology is now to the level that static analysis can be applied to binaries (executables and libraries). Static analysis of binaries is one of the tools that companies in any vertical can use to measure the outstanding risk in their software supply chain and to manage relationships with their 3rd party software providers.
MITRE investigated binary analysis and confirmed that performing static analysis on 3rd party binaries provides valuable feedback on outstanding security risk in safety or security critical software projects.
The following video illustrates how GrammaTech CodeSonar's unique binary analysis capability can be used to manage security risk:
Like what you watched? Download our white paper "Eliminating Vulnerabilities in Third-Party Code with Binary Analysis" to learn more.