News

GrammaTech Tool Uncovers Third-Party Code 'Blind Spots'

• By John K. Waters
• October 27, 2020

Application security testing tools provider GrammaTech today unveiled a new solution designed to surface vulnerabilities in third-party code used in the development of custom applications. Dubbed CodeSentry, it performs binary software composition analysis (SCA) to inventory the code and ferret out the vulnerabilities it may contain.

"Using third-party components, rather than building applications from scratch, is an accepted practice for accelerating time to market, and is fueling a massive growth in reusable code," said Mike Dager, CEO of GrammaTech, in a statement. "Most organizations now recognize the security risks that third-party code poses to their applications and business, and the need for software composition analysis provided by CodeSentry, which inspects binaries for unmatched precision."

Third-party software can be delivered in source or binary form, so the enterprises using it often don't know as much as they should about the underlying components, which can be open-source, commercial-off-the-shelf (COTS), or contracted software. The CodeSentry solution detects third-party network components, GUI components, and authentication layers, and finds the vulnerabilities in them. The tool employs deep binary analysis to create a detailed software bill of materials (SBOM) and a comprehensive list of known vulnerabilities.

It's the ability of CodeSentry to provide binary analysis and create a SBOM without the need for source code that eliminates what the company calls "a dangerous blind spot" left by software composition analysis tools that rely on source code to identify third party components. Covering the blind spots allows security professionals to measure and manage risk quickly and easily throughout the software lifecycle, the company says.

Specifically, CodeSentry analyzes the code that will run, not the build environment, which reduces false positives due to superfluous code in build environments, as well as components that are excluded due to build configurations. It identifies components present in native binaries through several component matching algorithms to gather version-number ranges, create an SBOM, and provide links to Common Vulnerability and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) scores.

To enable this level of binary analysis, the company says, CodeSentry uses advanced algorithms to detect components in applications with a high level of recall and sophistication, including strings used in natural language processing. GrammaTech's own "embedding" technology enables CodeSentry to map component disassembly to multi-dimensional vectors and compare them to vectors derived from the components.

CodeSentry integrate with DevSecOps workflows to uncover security gaps in both source and third-party code, and track code lineage for traceability. The company expects to make the solution available next year via a software-as-a-service (SaaS) platform. It's currently available for the company's partners.

Based in Bethesda, MD, with an R&D center in Ithaca, NY, GrammaTech is a cybersecurity research partner for the US civil, defense, and intelligence communities.