GrammaTech, a leading provider of application security testing (AST) products and software research services, is pleased to announce its CodeSentry binary Software Composition Analysis (SCA) platform will Compete in its Fourth Consecutive Year in American Security Today’s Annual Homeland Security Awards Program.
Most software developers add third-party and open-source components to their code to achieve desired capabilities without recreating the wheel. While this practice saves time and reduces development costs, at the end of the day, developers must assume responsibility for the security of the code they did not write.
The companies that then purchase the software, either to embed it into their products (e.g., government, defense, aerospace, transportation, medical, industrial, or business applications) or to use themselves as a business application, must be concerned with the security of the code.
Too many recent attacks have demonstrated the negative effects of vulnerabilities in the software supply chain, including Sunburst, Log4j, Codecov, Kaseya, and others.
According to B2B technology market intelligence and consulting firm VDC Research, nearly 60% of software products contain third-party code, most of which uses open-source components under the hood. Since this pre-built code is delivered in binary format, organizations could not detect its security risks.
CodeSentry was developed by GrammaTech to address software supply chain security, allowing organizations to detect security vulnerabilities “under the hood” in third-party code.
(To protect everyone… there’s a code for that. Code is everywhere in the products we count on and use every day. Making that code safe and secure to protect your business – is GrammaTech’s business. Courtesy of GrammaTech and YouTube.)
CodeSentry uses binary software composition analysis (BSCA) to identify known threats, also known as common vulnerabilities and exposures (CVEs) and/or common weakness enumeration (CWE) errors in externally developed software components without access to source code.
Unlike source-code SCA tools that only inspect components under development, CodeSentry analyzes the binary that executes to identify all components or vulnerabilities, including those in post-production applications.
CodeSentry identifies second, third, and fourth-party components regardless of where they enter the software supply chain by analyzing the final binary “as deployed.” This allows organizations to identify vulnerable, open source before it is incorporated into released products.
Finally, CodeSentry detects and tracks N-day and Zero-day vulnerabilities throughout the software lifecycle, supported by daily updates. This powerful product has been of special interest to various government organizations, including national security, military defense, and aerospace exploration agencies.
CodeSentry enables organizations to meet the new CISA guidance and executive order requirements through its unique, high-precision identification, tracking, and remediation for vulnerabilities in third-party code.
GrammaTech is a long-trusted homeland security partner founded by software analysis and binary transformation experts and has decades of expertise in high-tech research partnerships with the U.S. government and other organizations.
Some of those partnerships include the Defense Advanced Research Projects Agency (DARPA), the Department of Defense (DoD), the Department of Homeland Security (DHS), the U.S. Cyber Command, the Department of the Navy, the National Aeronautics and Space Administration (NASA), the National Institute of Standards and Technology (NIST), the National Science Foundation (NSF), the Air Force Research Laboratory (AFRL), and others.
GrammaTech has solved some of their most complex software challenges that impact safety, security, resilience, sustainment, automation, and developer productivity.
(GrammaTech’s latest version of CodeSentry 4.2 is now deployed to all SaaS instances and is available for on-premise installations as well. CodeSentry 4.2 makes it easy to search your software inventory for vulnerable open-source packages with the new ‘Component Search’ feature, and the new CodeSentry Dashboard provides a ‘single pane of glass’ overview of artifact scanning and results across the CodeSentry instance. Courtesy of GrammaTech and YouTube.)
The latest version of CodeSentry detects vulnerabilities in third-party or pre-built code during the development process, and provides comprehensive support for desktop and mobile applications, firmware, containers, and embedded operating systems. Using CodeSentry, developers can verify the contents, security, and safety of third-party software components used to build products.
Because source code is rarely available for third-party software, binary analysis is emerging as a leading method for extracting a software bill of materials (SBOM) to identify components, dependencies, and the security vulnerabilities they may contain.
CodeSentry automates this process to provide a foundation for strengthening software supply chain security, and far outpaces alternatives to provide the broadest possible coverage that includes:
-
Desktop, Server, and Mobile platforms: Windows, Linux, macOS, Android, and iOS
-
Language Support: Binaries originating from: C/C++, C#, Java and Go, as well as Python and JavaScript
-
CPU Architectures: Intel, PowerPC, Sparc, ARM32/64, MIPS and AVR32
-
Embedded OSes: VxWorks, QNX, Squashfs, Cramfs
-
File Systems and Containers: Embedded and Firmware Filesystem Image Formats, Mobile File Formats, Docker Containers, and Python and Javascript Packages
-
Supports multiple SBOM formats, including SPDX and CycloneDX
CodeSentry quickly analyzes purchased or commercial off-the-shelf (COTS) software to identify all software components, including custom code, vendor libraries, third-party code, OSS, and API dependencies for software mapping, and generates a software bill of materials (SBOM).
CodeSentry detects zero-day and N-day vulnerabilities, even when source code is unavailable, and provides all of the vulnerabilities in the components, links to CVE reports, and offers remediation suggestions.
CodeSentry features an easy-to-use upload interface and multiple output formats convenient for DevOps and accessible to IT professionals without programming experience.CodeSentry thoroughly catalogs all components from OSS, custom code, commercial off-the-shelf components, network and GUI components, and authentication layers.
Finally, CodeSentry enables applications to be audit-ready by embedding the SBOM into the application along with software licensing for third-party software.
GrammaTech has corporate headquarters in Bethesda, Maryland, a Research and Development Center in Ithaca, New York, and a global network of distributors and partners.
To learn more, please visit www.grammatech.com.