Finite State this week has added a binary analysis capability that enables device manufacturers to more easily identify zero-day vulnerabilities in software.
Jeff Martin, vice president of product for Finite State, said this latest addition to the company’s risk analysis platform can quickly assess third-party components for zero-day vulnerabilities and other known common vulnerabilities and exposures (CVEs).
The Finite State risk analysis platform is primarily used by device manufacturers that typically employ on-board support packages (BSPs) and software development kits (SDKs) from third-party vendors and developers. The challenge they face is those BSPs and SDKs are essentially a black box that device manufacturers can’t see inside, added Martin.
In the absence of that visibility, Martin said device manufactures have no idea whether or not their software supply chains have been compromised by a zero-day vulnerability. As in the case of the recent Log4j vulnerability and others, these types of zero-days are being disclosed with greater frequency. In the absence of an analysis tool, IT teams can spend months manually looking for vulnerabilities in connected devices that might be deployed almost anywhere in the world.
In general, Martin noted there is too much attention being paid to inspecting source code rather than the application binaries that cybercriminals are looking to exploit in production environments. While the individual component that makes up a software package may be deemed secure, the way they interact with one another once a binary is created can often be exploited, noted Martin.
Unfortunately, Martin added, many device manufacturers are reluctant to analyze those binaries for fear of liability. It’s easier to assume liability for any vulnerability will lie with the developer of the BSP or the SDK, he said. However, it’s apparent that both end users of a device—and various regulatory bodies—are starting to hold device manufacturers more accountable. Lawsuits are sure to follow, Martin warned. Device manufacturers would be well-advised to get ahead of that scrutiny before a cyberattack causes a major disruption that impacts large numbers of end customers, said Martin.
It’s not clear whether the current focus on software supply chain security will extend to the device level. However, it’s all but inevitable that the current level of scrutiny being applied to applications will eventually extend to embedded systems deployed at the network edge. Right now, many cybersecurity teams are not even aware of the existence of those devices until an incident is reported.
Fortunately, device manufacturers have begun to adopt DevSecOps best practices to ensure the integrity of their software supply chains. In the longer term, Martin said Finite State expects to also use machine learning algorithms to help device manufacturers prioritize which vulnerabilities to address first based on potential risks.
In the meantime, Martin said the important thing to remember is not to overlook binaries. After all, while securing source code is important, it’s often the binaries that are the weakest link in a software supply chain.