Vulnerabilities in the software supply chain are costing device manufacturers business. Threats like Treck TCP/IP and ThroughTek Kalay P2P SDK continue to emerge, and according to a recent Ponemon Institute report, nearly 60% of organizations have lost revenue due to product security concerns.
Finite State has unveiled a way to reduce the business risk of those vulnerabilities through advanced binary analysis.
Device manufacturers use board support packages (BSPs) and software development kits (SDKs) from third-party vendors and developers, often without knowing what is inside them. Because these packages are essentially black boxes, any insecure configuration files make it easier for threat actors to carry out privilege escalation attacks, brute force attacks, and other potentially disastrous breaches.
Finite State’s advanced binary analysis enhances automated zero-day vulnerability detection to eliminate blind spots in developer libraries. This capability goes beyond the source code-based software as a service (SaaS) offerings to catch the vulnerabilities those tools miss.
“Manufacturers are inherently trusting the developers of SDKs and BSPs, but recent vulnerabilities like Log4j, ThroughTek, Realtek, and DNSpooq prove they shouldn’t be so trusting,” said Jeff Martin, VP of Product at Finite State. “Our advanced binary analysis finally gives manufacturers visibility into these packages that are being added to their firmware unchecked.”
In addition to making it possible for security teams to see into these black boxes, Finite State’s advanced binary analysis saves them the time and effort of extensive manual testing. This essential feature ensures that products are more secure before they are shipped and allows organizations to quickly assess their third-party components for zero-day vulnerabilities and Common Vulnerabilities and Exposures (CVEs) to protect customer relationships, brand reputation, and potential loss of revenue.