Posted by on Thursday, May 11, 2023

Agreement between Synopsys and ReversingLabs delivers comprehensive software supply chain risk management solution. 

Addressing the supply chain challenge

In recent years, DevOps has changed the way software is released into production. This has created new categories of vulnerabilities and introduced new risks into the software supply chain. What once was rare, such as Stuxnet types of breaches, has become more commonplace in supply chain attacks such as SolarWinds. In many ways, software supply chain security is the “new” DevSecOps, leaving organizations across industries and geographies scrambling to find ways to mitigate risks that they don’t yet fully understand. At the same time, organizations are struggling to comply with calls by regulators demanding greater software transparency in the form of software Bills of Materials (SBOMs) for all software, as well attestation to evolving standards such as the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) to show that they are applying best practices for secure software development.

Forging a new way forward

Both software producers and consumers need help addressing the challenge of software supply chain threats and weaknesses that can leave them exposed to attacks. Many are looking to leverage current investments by using the tools and capabilities they already have, such as software composition analysis (SCA), while expanding the overall completeness of their SBOMs to address broader supply chain risks. Organizations are looking for the level of granular insight required to address supply chain threats that go beyond the JSON-formatted SBOM of today.

That is why Synopsys is partnering with ReversingLabs. By combining the market-leading capabilities of our Black Duck® SCA solution with the ReversingLabs Software Supply Chain Security (SSCS) platform, we can enable organizations to transform how they actively manage software supply chain risks. With Black Duck and ReversingLabs, organizations can track open source components, dependencies, vulnerabilities, and license compliance risks, while also conducting deep binary scanning of commercial and third-party components to identify software tampering and imbedded malware in software packages. And by adding malware and malicious code detection (MCD) on top of comprehensive SBOM generation, Synopsys and ReversingLabs are empowering development teams to address the rapidly evolving supply chain threats of tomorrow while providing powerful tools they can leverage today.

Supply chain value differentiation

On May 11, 2023, Synopsys announced an agreement to resell ReversingLabs solutions, creating the most comprehensive SBOM and supply chain risk management solution in the industry. Together, Synopsys Black Duck SCA and ReversingLabs SSCS provide critical security insights into supply chain risks, threats, and attacks that will help keep customers’ CI/CD workflows and DevOps toolchains more secure. In parallel, the companies have plans to drive an integrated solution that will offer additional capabilities and deployment options that may include but not be limited to

• Tight integrations that encompass the value of Black Duck SCA for signature scanning, snippets, and IaC templates with ReversingLabs SSCS for commercial analysis and malware/threat detection
• A combined SaaS offering via the Polaris Software Integrity Platform® to provide Polaris fAST software supply chain capabilities as a component of the joint solution
• Advanced, customizable intelligence feed services that will combine Black Duck KnowledgeBase™ and ReversingLabs threat intelligence, providing advanced vulnerability and risk insight and alerts on emerging threats and risks that can be ingested into SIEM, GRC, and other systems, customized for the enterprise

Just the beginning

Looking ahead, the combined capabilities of Synopsys Black Duck and ReversingLabs SSCS will enable comprehensive SBOMs that can be exported, imported, and merged. This will enable advanced and accurate software supply chain risk scoring. Users will be able to drill down into open source, commercial, and third-party software components to identify risks and vulnerabilities as well as evidence of tampering or malicious code. The results of the combined security data can be automated by source code management tools such as GitHub and GitLab in addition to a single management console. For organizations truly focused on addressing the supply chain challenge with the most comprehensive scan results and quality at scale, the combination of Synopsys and ReversingLabs is a great place to start.

Learn more about Synopsys’ supply chain offerings