GrammaTech announced a new version of its CodeSentry software supply chain security platform which enables organizations to produce a software bill of materials (SBOM).
CodeSentry enables organizations to proactively detect and address risks in commercial off the shelf (COTS) applications and third-party software, and allows development teams to assure they are delivering secure and compliant software. With the integration of VulnDB from Risk Based Security, a Flashpoint company, CodeSentry version 3.0 now provides enhanced intelligence, visibility and remediation information for vulnerabilities present in open source components as well as license information that it detects by automating binary scanning.
Virtually all software applications include third-party and open-source components that create a software supply chain security blind spot. A recent Osterman Research report found that 100% of all analyzed COTS applications contained vulnerable open-source components, and critical vulnerabilities (CVSS 10.0) were present in 85% of them. In fact, nearly 60% of enterprise IT software contains third-party (33%) and open source (29.5%) code according to VDC Research.
To deliver unprecedented visibility into software supply chain security risks for third-party software consumers like enterprises and software vendors, CodeSentry performs binary software composition analysis (SCA) without access to source code. It generates a detailed SBOM to identify open source components, detect N-Day and Zero-Day vulnerabilities and deliver a comprehensive vulnerability report with remediation recommendations.
“With the rise in software supply chain attacks, organizations need to make themselves more resilient to threats by proactively managing the security posture of both the commercial applications they use and the software they develop and sell,” said Vince Arneja, Chief Product Officer at GrammaTech. “CodeSentry provides deep visibility, intelligence and actionable information into the makeup of software applications and their vulnerabilities without access to source code so enterprises, development teams and software vendors can better identify and reduce cyber risk.”
Comprehensive software supply chain security
Since source code is rarely available for purchased applications and third party code, binary analysis is the only alternative for extracting a SBOM to identify open source components and security vulnerabilities they may contain. Offered as a SaaS or on-premises solution, CodeSentry completely automates this process – providing a foundation for improving software supply chain security.
Using CodeSentry, enterprises can verify the composition and security of commercial applications they have or are planning to deploy. When a scan identifies a list of open source components and associated vulnerabilities within a COTS application or third-party software (i.e. printer drivers, router firmware, etc.), CodeSentry will list other common software products and the versions which may be impacted by the same risk.
In addition, the results identify what version of the software has remediated the issue as well as what versions are not vulnerable. This provides information security teams with visibility into which other applications in their environment may be at risk from the same open source vulnerability. It also enables companies to better manage vendor risk and only approve the procurement of software that passes a security analysis and verification test.
For software developers
CodeSentry also provides the visibility needed to implement software security assurance by validating the security of third-party code and open source components as part of development libraries. As a final check before deploying software internally or releasing it to market, a CodeSentry scan will produce a SBOM to identify open source components and vulnerabilities that must be fixed prior to the delivery of final code. Finally, CodeSentry can confirm which security attributes are turned on and provide a scoring metric report so developers can harden the executables to make their applications more secure.
For regulatory compliance
Meanwhile governing bodies are now starting to require SBOMs from software and hardware vendors. As an example, the FDA is requiring medical device manufacturers to produce SBOMs as a go-to-market prerequisite, and the recent presidential cybersecurity executive order for improving software supply chain security will require that vendors working with the U.S. Government provide the same detailed information on components in their software applications. CodeSentry delivers both a SBOM and security vulnerability reporting for COTS applications and third-party software as well software embedded in all types of devices.
Finally, CodeSentry provides license information for detected open source components in third-party code so developers can ensure they are compliant with any restrictions associated with the software license. This information also allows vendor risk management teams evaluating COTS software to assess the license risk associated with open source components.
GrammaTech CodeSentry 3.0 is available immediately from GrammaTech and its business partners worldwide.