CodeSentry

Binary Software Component Analysis When Source Code Not Available

CodeSentry is CodeSecure’s leading Binary Software Composition Analysis (BSCA) solution for gaining component inventory and insights into vulnerabilities and software risks.  Further CodeSentry generats SBOMs, supporting Vulnerability disclosures, and responding to Software Supply Chain Security (SSCS) risks.

Scan Post-Production Applications, Packages:Binary Analysis When Source Code Not Available

CodeSentry is a Binary BCA solution that identifies open-source components and shared dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most complete database of software vulnerabilities. Analysis when source code is not available.

Key Benefits

Why CodeSentry? This product is designed to reduce time-to-market, exploit vulnerabilities and provide an SBOM.

• Reduce time-to-market
  Vendors, contractors, and partners provide compiled executables, not source code. Binary BCA analyzes compiled executables to identify open source components, then maps the components to our database of vulnerabilities.
• Identify weak security practices
  CodeSentry prevents vulnerable components from entering their products by proactively producing an accurate SBOM of third-party binaries components when binaries are evaluated.
• Provide accurate SBOMs to customers.
  CodeSentry’s Zero-Day Service can detect security issues associated with command and data injection, weak cryptography, race conditions, and many other common weaknesses.

Risk in the Software Supply Chain

Building secure software requires development teams to follow good security practices. But most software
today includes externally developed code, including open-source components and commercial binaries.
They are also being tasked with delivering an SBOM to their customers.

Software Bill of Materials (SBOM) without Source Code

CodeSentry is a Binary SCA solution that identifies open-source components and shared library
dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting
component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most
complete database of software vulnerabilities. The resulting application intelligence and vulnerability
visibility mitigates risk, improves software security, and strengthens enterprise security postures by
defending your products against software supply chain attacks.

Component Inventory and License Information

Checking license information ensures compliance and reduces the risk that software is released and/or consumed with unlicensed components.

• SBOM Generation, Annotation, and Output:
  CodeSentry scan binaries to auto-generate a detailed SBOM via an intuitive interface – easy for non-technical users. SBOM entries can be included or excluded with the annotation feature. Flexible SBOM output formats include PDF, HTML, CSV, SPDX, JSON, and CycloneDX, and Vulnerability
• The Inventory and Vulnerability Search:
  CodeSentry search finds components and vulnerabilities across the inventory of scanned files and identifies vulnerable components, thereby saving time when vulnerabilities are declared and remediation actions are required. The inventory of scans can be filtered to show the latest updates to vulnerabilities, remediation, and exploit information to easily determine what actions should be take to mitigate security risks.
• API-First Approach & Integration:
  An advanced GraphQL interface allows sophisticated integration with external systems including ticketing and vulnerability tracking systems.
• Audit Logging:
  CodeSentry logs API activities, user logins and exports via UI and APIs to ensure proper usage and allow identification of potentially improper or malicious activity.
• Deployment Flexibility:
  CodeSentry can be deployed on-premises. For organizations that wish to maintain lower overhead, it is also available as a single-tenant SaaS deployment.
• Purchasing Flexibility:
  Now available in three options: CodeSentry SBOM Edition, Security Edition, and Advanced Security Edition.
• Live N-Day Updates:
  CodeSentry continuously updates the database of known components and vulnerabilities, and updates existing scans with the latest vulnerabilities, remediation, and exploit information

The CodeSentry Difference

Binary SCAs unique capabilities are unavailable in Source-based SCA solutions.

• No requirement for source code.
  Source code is rarely available for third-party components, and is not always available to security teams, even for in-house applications. Binary SCA can produce an accurate SBOM without access to source code.
• Views code “as deployed”.
  Source SCA only sees components “as built”. CodeSentry analyzes the binary that executes. This allows it to identify any components or vulnerabilities introduced during compilation and packaging code for release. Source SCA also often lists components that are not in the final build image, generating false positives. CodeSentry can accurately tell whether a component is present in the final product or not.
• 2nd, 3rd, and 4th party coverage.
  Direct vendors may use their own third parties for software development. CodeSentry solves this problem by analyzing the final binary “as deployed”. It identifies open source no matter where it entered the software supply chain.
• Shift Left and Shift Right.
  Binary SCA allows organizations to identify vulnerable open source when they evaluate third-party code, well before they incorporate it into their products. The security of delivered software is enhanced by using Binary SCA as a final check to scan binaries before deployment or releasing them to customers.
• N-day and Zero-day Vulnerability detection and security scoring.
  CodeSentry identifies reused components and continuously tracks any vulnerabilities throughout the software lifecycle, supported by daily updates. Detecting critical, N-day, and Zero-day vulnerabilities as well as misconfiguration of security features in compilers early and precisely is key to reducing the cybersecurity risk and impact.

VulnDB Vulnerability Database

Most approaches to SCA leverage NIST’s National Vulnerability Database (NVD) and augment those vulnerabilities with a small number of publicly disclosed vulnerabilities published by the opensource projects. By some estimates, NVD is missing over 90,000 publicly disclosed vulnerabilities and can delay publishing new vulnerabilities for almost 4 weeks – a time during
which attackers have free rein to exploit them.

CodeSentry leverages VulnDB to provide data on opensource security. VulnDB provides the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest security vulnerabilities. As of 2023, VulnDB contains over 330,000 vulnerabilities, with over 20,000 new vulnerabilities added this year.Yet only two-thirds of these are published in the NVD. This leaves thousands of organizations relying on NVD unable to defend against the risk posed by these
vulnerabilities. testing and lifecycle traceability provide visibility across artifacts for a complete view, from requirements to release.

Supported Broad File Format Coverage

Across Languages, Operating Systems, and Platforms.

With support for a wide range of endpoint software archive formats, including self-extracting installers and popular package managers, CodeSentry makes it easy to scan the applications your organization uses every day. In addition, various virtual machines, disks, embedded, firmware, and mobile images are supported.

System Specifications

Client: Any modern desktop web browser GraphQL API

Deployment: On-premises, FIPS Compatible SaaS (supports GovCloud)

Software Bill of Materials (SBOM) Output: CycloneDX, SPDX, JSON, CSV, PDF, HTML

Aris, Juniper, Kosmos:  SREC, bFLT, base64, Intel Hex, uBoot, wim

Compiled Languages

C/C++:  Executables, objects, libraries (.exe, .obj, .dll, .o, .so, .a, ) Linux Kernel / Kernel Module Other ELF file types

C#: .exe / .dll

Java: java class files, .jar

Go .exe / .dll / .o / .so /

Interpreted Languages

JavaScript:  Manifest, .npm, .js

Python: Manifest, .python, .py

CPU Architectures

CPU Intel, PowerPC, Sparc, Arm32/64, MIPS, AVR32

Desktop/Server Operations Systems

Windows, Linux, macOS: Libraries, Debian, executables, kernel modules, applications

Linux Package Manager: RPM, Debian

RTOS: VxWorks, QNX, INTEGRITY, Linux

Container/ Files Systems

Docker :tar.gz, overlay2, aufs

File System:  ext2, ext3, ext4, iso, squashfs, cramfs, Android Sparse Disk Image, romfs, JFFS2, ubifs, yaffs2, vmdk

Embedded: VxWorks, QNX, Squashfs, Cramfs

Mobile Platforms

Android: apk, Dex, Odex, Android Sparse (disk image)

iOS: ipa

Archive Formats

Type Files: 7z, chm, lzip, rzip, lzma, tar, cpio, lzop, upx, Ar, gzip, xar, bzip2, zip, lrzip, rar, arj, xz, pkg, dmg, msi, msu, cab, rpm, deb, apk (alpine linux)

Firmware

Aris, Juniper, Kosmos, Cisco: SREC, bFLT, base64, Intel Hex, uBoot, wim.