NetRise ZeroLens identifies undisclosed software weaknesses

NetRise announced a new product, NetRise ZeroLens. NetRise’s category redefining platform creates a software asset inventory, which is critical to manage organizational risk.

NetRise analyzes compiled code to find risk in software that actually executes on devices and other systems. This technique, known as binary composition analysis (BCA), identifies vulnerabilities not found through traditional vulnerability scanners or source code scans, prioritizing those before they are exploited.

NetRise ZeroLens adds to the platform’s capabilities by analyzing the compiled code for weaknesses (CWEs) that have not yet been identified or exposed as vulnerabilities. NetRise ZeroLens incorporates AI to summarize the CWEs found and guides remediation based on the context of the code around the discovered weaknesses.

“By identifying weaknesses in code already running on devices that are critical to the enterprise, NetRise ZeroLens provides CISOs and their teams a path to rapid detection and mitigation before those weaknesses are exposed as vulnerabilities,” said Thomas Pace, NetRise CEO. “The cybersecurity market has been begging for proactive vulnerability identification instead of constantly operating in a reactive model. NetRise ZeroLens is proactive vulnerability identification at scale.”

Benefits offered by NetRise ZeroLens include:

• Enhanced quantification of risk: NetRise ZeroLens identifies previously unknown weaknesses in binary software, enabling better risk management decisions in the enterprise.
• Vulnerability research at scale: NetRise ZeroLens enables ethical hackers and red team members to upload and analyze thousands of binaries concurrently, dramatically reducing the time required for manual analysis.
• Proactive detection of code weaknesses: By identifying vulnerabilities before they are exploited, NetRise ZeroLens prioritizes remediation and mitigation workflows for device manufacturer product security teams.

“Nearly all of the medical devices whose security we ensure run on firmware,” said Garrett Schumacher, Business Unit Director, Product Security at Velentium Medical. “NetRise ZeroLens gives us the ability to test software that other static analysis tools don’t handle well, for instance where no industry standard or insufficient rulesets for secure coding exist. We will use NetRise ZeroLens to enforce CWE analysis on such projects in addition to NetRise’s supply chain security offerings.”

Not only does NetRise ZeroLens identify potential vulnerabilities found within compiled code, but the product also creates AI-driven summaries of its findings to guide any actions needed to mitigate that risk. “NetRise ZeroLens provides researchers and developers specific guidance based on its findings,” said Michael Scott, NetRise CTO. “For example, if the tool finds a buffer overflow, the summary looks at the functions within the code, contextual usage, and can determine whether the input is user-supplied or static, informing and advising accordingly.”

A “zero-day” is a vulnerability in code that has no patch or other fix available. Until the vulnerability is remediated, threat actors can exploit it in a “zero-day attack.”

Log4j is one of the most well-known zero-day exploits in recent years. Estimates at the time of its discovery in December 2021 indicate that nearly 90% of global enterprises were impacted by this incident that exploited a vulnerability in an extremely popular open-source library. Further research showed that even two years after the event, 38% of organizations continued to use vulnerable versions of the Log4j open-source library.

“NetRise ZeroLens builds on our founding vision by adding to the software asset inventory a look beyond vulnerabilities to finding weaknesses that have yet to be exploited by bad actors,” continues Pace. “This enhanced context allows for better understanding of risk within the organization and proactive planning to mitigate that risk.”