ReversingLabs vs VirusTotal - See why RL is the #1 alternative to VT with 7x the file threat intelligence
Learn More
Podcast | The state of open source software security: Attack methods, policy, more
Listen Now
Secure by Design: Why Trust Matters for Software Risk Management with Chris Hughes and Sasa Zdjelar
Register Now

Feature Preview

Check out what we’re developing
Ask about joining our Early Access program
Feature Preview

Managing software security for modern applications is an act of balancing feature development and the ever-evolving threats landscape. Application security is an integral part of the software development lifecycle, and often the primary driver for a software update. Monitoring software security quality and enforcing best practices during development eliminates the “mad scramble dash” at the end of a release cycle.

We’re making this vision of integrated software security development a reality through our feature-driven development. Here’s a sneak preview for some of the features we’re working on.

Detect Reproducible Build Tampering

Detect Reproducible Build Tampering checked-package

  • saas-released
  • cli-released
  • security
  • operations
  • behaviors
  • tampering
  • reproducible-builds

Software changes made by compromised build infrastructure cannot be detected through source code scanning or composition analysis. Binary analysis that can examine software behaviors and how they differ from package to package is needed to close this visibility gap. This differencing has proven to be an effective means of uncovering new malware or targeted software supply chain attacks.

Combining automated behavior differencing with the idea of software reproducibility results in a systematic way to identify attacks on CI/CD systems and processes.  Confirming that the same code compiled by two separate build environments produces the same software behaviors (i.e. reproducible behaviors) validates build system integrity. This approach automates tampering detection without the hassle of tinkering with CI/CD tooling and automation to create byte-by-byte reproducible builds. Finally, the age old dream of hassle-free reproducibility has become a reality! 

Approved Software Releases

Approved Software Releases

  • saas-released
  • security
  • operations
  • behaviors
  • tampering
  • review
  • enforcement

Releasing software updates in the age of supply chain attacks is a stress inducing venture. Modern software stacks have become extremely complex, and increasingly dependent on a multitude of third-party libraries. Protecting the software integrity is now a challenge of managing security of a build system, and all of the code it uses to produce your software artifacts.

With approved software releases application security teams get a final stamp of approval before a package gets out the door. Automated package diffing not only highlights changes between subsequent versions, but also provides insight into code behaviors. Spotting a newly added unknown component, or finding an old one that suddenly has new code, or a digital signature failing to validate are just some examples of rules used to protect the supply chain integrity. Automatically approve releases that comply with set policies, and have a second pair of eyes on anything that looks odd.

Fine-grained Policy Controls

Fine-grained Policy Controls checked-package

  • cli-released
  • devsecops
  • configuration
  • suppression
  • enforcement

While some security quality issues are less important, as their overall impact is negligible, others may be their complete opposite. Sometimes you explicitly want to fail the build if the critical vulnerability hasn’t yet been resolved, or you’ve forgotten to enable a security mitigation, or if someone added networking functionality to a component that’s never meant to have it.

With fine-grained policy controls all this becomes easy. Each software component, in-house developed or from a third-party, can have a set of enforced do’s and don’ts. You can even create custom content matching rules that prevent secrets from being leaked. Application security and software development teams can use this feature to move security posture in the right direction. Both having their voices heard, working together to improve the user experience.

 

Software Inventory Monitoring

Software Inventory Monitoring checked-package

  • cli-released
  • devsecops
  • security
  • sbom
  • inventory
  • auditing
  • search

Remember when you and your team had to do a mad scramble over the weekend to figure out if, and where, you’re using log4j? That wasn’t fun for anyone, and as things stand it is more than likely something similar will happen again. And very likely a few more times after that as well.

With software inventory monitoring application security and development teams get to reclaim their weekend. Deep software package inspection recursively extracts hundreds of supported formats to find all embedded and referenced dependencies. It doesn’t matter if you’re developing a web app that uses Django and React, or if you’re writing a server app that’s written in C++ or Java. All these components and their dependencies are listed in the Software Bill of Materials. Even better, there’s a simple search over all of your packages to answer that dreaded question: Hey, are we vulnerable to that log4shell thing the internet is buzzing about?

Ask about joining our Early Access program

DISCLAIMER
Any statement on this page that is not purely historical is considered a forward-looking statement. Forward-looking statements included on this page are based on information available to ReversingLabs as of the date they are made, and ReversingLabs assumes no obligation to update any forward-looking statements. The forward-looking Feature Previews do not represent a commitment, guarantee, obligation or promise to deliver any product or feature, or to deliver any product and feature by any particular date, and is intended to outline the general development plans. Customers should not rely on this roadmap to make any purchasing decision.