Header bannerHeader banner
April 23, 2024

Next Gen Binary Risk Intelligence: Introducing Binarly Transparency Platform v2.0

Alex Matrosov

When we started Binarly in 2021, we had a simple idea to bring more transparency to the software supply chain through program analysis.  Most current software composition analysis (SCA) and software supply chain solutions primarily analyze binary code using basic, rudimentary methods. These methods either identify hard-coded byte patterns or verify the integrity of certain components. However, from the perspective of detecting unknown risks or addressing recompiled code, these approaches prove inadequate.

Software supply chain security risks are complex and multifaceted. Defenders must possess robust tools to mitigate known risks effectively, yet they often face entirely different challenges with unknown risks, which may involve problems never seen before. Last month, we secured a new round of financing and outlined our vision to spearhead innovations aimed at enhancing the security of the software supply chain.

Time line of Binarly's groth from Inception in 2021 to the launch of Transparency Platform v2.0 in 2024

Just last week, Binarly’s research team disclosed the existence of a known vulnerability from an open-source component heavily impacting the firmware supply chain ecosystem. The risk was known, but unfortunately, the firmware ecosystem was very slow on the downstream update for years, which caused significant risk and introduced attack surfaces. 

The infamous XZ backdoor was another perfect example of the impossibility of mitigating unknown risk. This backdoor uses completely novel techniques that help threat actors to avoid detection from any current security solutions. 

This is a new type of threat and the industry is not quite ready for it.  For a long time, we depended on recognizing risks by identifying hardcoded patterns or anomalies through established reputation rankings of good and bad behaviors. Unfortunately, these methods are ineffective, leaving us vulnerable to repeatable failures and incidents. However, the XZ backdoor incident should serve as a wake-up call for the industry. Binarly is pioneering a response, having developed XZ.fail with a method to detect code-level implantation techniques in backdoored software components within 24 hours. This capability stems from our next-generation Binary Risk Intelligence technology, built upon our patented program analysis solution.

In modern software ecosystems, the diversity of compilers and binary artifacts created by different runtime environments could lead to significant alert fatigue and heavy false positives. Last year, we released the first generation of the Binarly Transparency Platform, to showcase the ability to detect unknown firmware threats and vulnerabilities. 

Diagram showing how early Binarly can catch issues in the development process, greatly reducing risk.s

The platform has automatically detected hundreds of new vulnerabilities, preemptively addressing our customers' security risks before they could escalate. Our innovative, patented approach, powered by modern AI, has proactively neutralized known threats. Last year at the Black Hat Startup Spotlight competition, we introduced the industry’s first AI assistant designed to minimize the delay between discovering vulnerabilities and delivering fixes. Feedback from Binarly customers indicates that this strategy significantly cuts both the time and cost associated with developing fixes.

 

Binarly allows you to integrate secure-by-design compliance into your existing workflow

Today, I am pleased to announce the culmination of our team's substantial efforts with the launch of the next generation of our flagship product: Binarly Transparency Platform v2.0, powered by Binary Risk Intelligence technology.


This release brings enhanced clarity and transparency to the software supply chain ecosystem through the lens of Binary Risk Intelligence. It enables enterprise security teams and empowers product security organizations to implement a secure-by-design approach at scale.

Binarly dashboard showing where unknowns appear in your development cycle

  • Ensure post-build compliance by continuously monitoring and validating for security-related changes.
  • Gain insights into the security posture of IoT and XIoT devices, enabling a deeper understanding of their vulnerabilities and dependencies.
  • Identify malicious behavior and hidden backdoors within binaries based on their behavior.
  • Detect insecure coding practices and coverage of build-time mitigations within each binary.
  • Gain insights into what software is truly made of, enabling production and validation of SBOMs for a deeper understanding of corresponding risks.
  • Detect license obligations buried within the binaries you depend on to avoid legal issues down the road.
  • Detect embedded keys, if they are being used, and insecure cryptographic usage patterns to help catch key leaks and correct cryptographic usage before shipping.
  • Empower security leadership to make informed decisions with a curated dashboard.

Binarly dashboard illustrating how informed decisions can be made

Today’s reality is that security solutions cannot keep pace with the scale of a problem that requires a more comprehensive approach and visibility. Binarly Transparency Platform v2.0 is delivering a new actionable and data-driven paradigm for how security teams and software developers should detect, analyze, and fix or react to software security risks. Binary Risk Intelligence technology reduces the latency in reaction to the problems and the cost of fixing them.

Are you interested in learning more about The Binarly Transparency Platform or Binary Risk Intelligence technology? Don't hesitate to contact us.

What's lurking in your firmware?