ESF recommends binary analysis and reproducible builds before releasing software

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .

This week: The Enduring Security Framework (ESF) working group released a new recommended practices report for software supply chain security, citing binary composition analysis and reproducible build validation as must-needs for managing software risk. Also: Russian foreign intelligence has been spotted exploiting a JetBrains vulnerability, which is affecting companies globally.

This Week’s Top Story

ESF recommends binary analysis and reproducible builds before releasing software

The Enduring Security Framework (ESF) Software Supply Chain Security Working Group has released the fifth report in its guidance series: “Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials” (PDF) . Not only does the report cite the key ways software producers should manage open source software components and utilize SBOMs effectively, but it also pushes for the secure delivery of software using binary composition analysis and reproducible build validation.?

The ESF is a public-private working group led by the U.S. National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with industry partners. ESF’s guidance series began in September 2022 , with three reports that offer recommended practices for the relevant stakeholders of software supply chain security. They include:

1. Developers (09/2022)
2. Suppliers (10/2022)
3. Consumers (11/2022)?

In the second phase of their guidance series, the ESF released a recommended practice document for Software Bill of Materials (SBOM) Consumption in November 2023. Rather than addressing one specific audience in this report, ESF instead addressed a major area within software supply chain security to all three audiences. Specific to managing open source software and SBOMs, the new guidance focuses on this additional area of software supply chain security, and is also directed at developers, suppliers, and consumers of software.?

The ESF guidance lays out how to establish proper open source software management, how SBOMs can be used to account for open source components, as well as how to handle open source crises such as the accidental use of a malicious components in software. To ensure secure software delivery, the report recommends the following:

“Before shipping the software package to customers, the developer or supplier should perform binary composition analysis to verify the contents of the package and reproducible build validation when possible.” ?

Binary composition analysis refers to examining executable software package binaries at run-time, rather than analyzing the code statically, such as software composition analysis (SCA). With binary analysis, teams can monitor program behavior, identify anomalies in the software, and uncover potential security flaws that legacy application security testing misses . Reproducible build validation is also essential for comparing behaviors between builds to find malware and other forms of tampering.?

Matthew Rose , Field CISO at ReversingLabs, said the ESF’s new software supply chain security guidelines are a big step forward:?

“Binary composition analysis is a must-have when you consider the ever growing risks associated with software supply chain security. Binary analysis should be every organization’s final exam of their compiled packages to ensure you can trust the package is free from compromise. Adding reproducible builds to the process would be an even further protection to identify such compromise.” - Matt Rose

Learn more about the benefits of binary analysis and reproducible builds , two key components of ReversingLabs Software Supply Chain Security .?

This Week’s Headlines

Russian intelligence service exploiting JetBrains vulnerability

Government agencies in the U.S., Poland and the U.K. said that Russia’s Foreign Intelligence Service (SVR) has been exploiting a vulnerability that was exposed earlier this year in a popular product from Czech software giant JetBrains. Officials said they have notified dozens of companies across the U.S., Europe, Asia and Australia after discovering hundreds of compromised devices. (The Record )

38% of Log4J apps are using a vulnerable version of the library

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.?

The infamous flaw was discovered as an actively exploited zero-day on December 10, 2021. Its widespread impact, ease of exploitation, and massive security implications acted as an open invitation to threat actors. (Bleeping Computer )

Kubescape project adds Vulnerability Exploitability eXchange (VEX) support

With its innovative feature for generating reliable Vulnerability Exploitability eXchange (VEX) documents, Kubescape has become the first open-source project to provide this functionality. This advancement offers security practitioners a powerful tool to effectively prioritize and address software vulnerabilities.?

It leverages its eBPF-based Kubernetes runtime reachability capability to generate VEX documents automatically, providing clear and actionable signaling for vulnerability prioritization and management. Using eBPF technology to detect loaded software packages during runtime, Kubescape distinguishes between less significant vulnerabilities and those that pose an actual risk in container environments, easing the work of security practitioners. (Help Net Security )?

Boosting faith in the authenticity of open source software

The Sperenza system aims to reassure software consumers that the product they are getting from a software producer has not been tampered with, and is coming directly from a trustworthy source. This system allows software maintainers to be anonymous, which the creators of Sperenza believe will give software users the confidence that their software maintainers are legitimate, and that the code they are using is trustworthy. (MIT News )

Healthcare and public health warned about open source risks

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source code is used in a wide range of healthcare systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components. (HIPAA Journal )

Resource Roundup

New Gartner? Report | Mitigate Enterprise Software Supply Chain Security Risks

The new report from Gartner identifies that software supply chain attacks have repeatedly demonstrated that software artifacts represent an attack surface through which malicious code can be introduced. Gartner mentions ReversingLabs in this report as a solution to identify malware and malicious code. [Get the insights ]

On Demand Webinar | Delivering Threat Analysis Beyond VirusTotal's Reach

Watch as experts discuss the complexities of advanced malware analysis in the modern era and demonstrate how ReversingLabs' advanced solutions not only meet but exceed the capability of VirusTotal. [Watch Now ]