ReversingLabs Launches Spectra Assure Community – The Largest, Free Resource of Comprehensive Risk Assessments on Open Source Software
26 Junio 2024 - 10:00AM
ReversingLabs (RL), the trusted name in file and software security,
today introduced Spectra Assure Community, the largest, free
community resource that makes it easy for software producers to
quickly vet open source software packages by providing a
comprehensive risk analysis. Leveraging RL’s award-winning Spectra
Assure software supply chain security solution, Spectra Assure
Community enables developers, repository managers, and engineering
teams, among others, to check more than 5 million code packages
from open source repositories for malicious code, code tampering,
suspicious behaviors, known vulnerabilities, license compliance
issues, exposed secrets, and overall package health.
Malicious attacks on public open source repositories are now as
pervasive as developers' use of open source dependencies, making it
increasingly difficult for software producers to implicitly trust
the safety of every piece of code. RL marked an astounding 1,300%
increase in malicious open source packages from 2020 to 2023, and
an increase of 28% over 2022, when a little more than 8,700
malicious packages were detected. Additionally, the 2024 Verizon
Data Breach Investigation Report reported a significant increase in
software supply chain attacks. The report reinforced that
developers have become a prime target for criminal and nation state
sponsored actors and must be sure open source from repositories is
free from malware.
Spectra Assure Community provides a free risk assessment for
open source components from the most popular package repositories
such as npm, PyPi, and RubyGems. It provides a comprehensive risk
assessment for software packages, offering visibility into threats,
security, and compliance issues. This community resource provides
these unique insights of OSS packages with:
- Comprehensive analysis: Using Spectra Assure’s
proprietary AI-driven complex binary analysis to analyze each
component of a software binary for malicious code, tampering, or
other risks or threats.
- Advanced threat detection: RL maintains the
most complete and up-to-date corpus of malware in the world, which
enables unique visibility and detection of emerging threats within
OSS repositories.
- Standardized security assurance: The Spectra
Assure Risk Assessment is presented in a normalized format for the
selected package, allowing users to make a simple comparison.
Building with safe and secure components is foundational to
stopping hackers and software supply chain attacks. Spectra Assure
Community increases the build quality and security, saves time, and
improves traceability to help any development organization deliver
safe and on-time builds.
“We can no longer deny that software represents the largest
under-addressed attack surface facing businesses today. The threats
hiding among open source, proprietary, commercial and third-party
code are leaving software producers and enterprise consumers at
increasing risk,” said Tomislav Pericin, co-founder and chief
software architect, ReversingLabs. “We are committed to helping
developers make software safe for all with easily searchable,
real-time threat intelligence data about software packages in open
source repositories.”
Community ContributionToday’s launch of Spectra
Assure Community underscores RL’s enduring commitment to protect
open source communities from threats hidden in the software supply
chain. The RL Threat Research team has long helped to find
malicious code in package repositories and work with administrators
to facilitate removal, while regularly sharing threat intelligence.
Recent RL research includes IAmReboot: Malicious NuGet
packages exploit loophole in MSBuild integrations and VMConnect:
Malicious PyPI packages imitate popular open source modules. RL
will also contribute lists of these malicious packages to
the OpenSSF Malicious Packages repository, the first open
source system for collecting and publishing cross-ecosystem reports
of malicious packages.
“ReversingLabs contributions to the OpenSSF Malicious Packages
repository will allow us to grow the database and provide enriched
data about malicious packages to researchers looking to identify
trends and specific bad actors,” said Omkhar Arasaratnam, General
Manager, Open SSF. “Their contributions will help to power a public
database that aggregates reports of malicious packages discovered
in open source repositories with the potential to stop malicious
dependencies from moving through CI/CD pipelines, refine detection
engines, scan for and prevent usage in environments, or accelerate
incident response.”
To learn more about Spectra Assure Community or check your open
source software package for any threat, visit secure.software.
About ReversingLabsReversingLabs is the trusted
name in file and software security. We provide the modern
cybersecurity platform to verify and deliver safe binaries. Trusted
by the Fortune 500 and leading cybersecurity vendors, RL Spectra
Core powers software supply chain and file security insights,
tracking over 40 billion searchable files daily with the ability to
deconstruct full software binaries in seconds to minutes. Only
ReversingLabs provides that final exam to determine whether a
single file or full software binary presents a risk to your
organization and your customers.
Media ContactDoug FraimGuyer
GroupDoug@Guyergroup.com