"Binaries are what machines execute and what attackers attack. Verifying binaries ensure that third party libraries, components packages and compiler vulnerabilities, backdoors and Trojans can be detected"
Economic, competitive and time-to-market pressures are driving enterprises to use third party applications from a myriad of sources as part of their application development process. While this mixed code base of unknown security quality is an undisputed artifact of modern application development, it also pushes liability onto the enterprise resulting in an unacceptable level of risk. Furthermore, the access of source code of third party applications is often limited and lacking. This makes traditional source code scanning a difficult option.
CBIS Labs, through its partnership with Veracode, a world leader in Binary Analysis, is able to provide agile binary analysis through a cloud-based delivery platform. This ensures a fast and affordable analysis for customers.
This binary analysis can add tremendous value in customer's pre-procurement evaluation process. Currently, common RFP evaluation process only involves paper evaluations or at most test units for functional testing. However, vendors are unlikely to provide any source codes for further evaluation. This puts risk on the procurement process. With this binary analysis, procurement agencies are now able to conduct very quick binary analysis and receive the analysis grading which can further give assurance to the security robustness of the product or solution.
This patented and innovative technology has re-defined the possibility of a truly "informed decision".
Extracted from Gartner Blog Network
Neil MacDonald, VP & Gartner Fellow, July 24, 2009
In the research we describe the three primary ways to perform static analysis:
- analysis of the source code
- analysis of the byte code of an interpreted language like Java or .NET
- analysis of the raw binaries of a compiled application (such as a C++application)
The latter two are important if you don't have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn't available.
For more information on binary analysis service, email us at firstname.lastname@example.org.