> There is absolutely no way we can perform a full binary analysis of every new version of every binary blob that powers modern IT
I wonder if there's enough demand for a service like this to be viable. Bundled with a universal package manager, signed and verified binaries, caching mechanisms, etc.
I'm sure there's enough demand for someone to sell a service that attempts this, but for several of the reasons mentioned in the post I expect it would be ineffective.
When you run all your code and all its dependencies with full authority, it only takes one tiny piece of malicious code to blow the whole system wide open. I think scanning will always be a losing battle.
Plug: we've been building Packj [1] to detect malicious Python/NPM/Ruby/Rust/Java/PHP packages. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more.
Making and maintaining a universal package manager then getting it deployed completely enough at any large org to make a difference strikes me as on the order of “let’s build a perpetual motion machine that’s also a fusion reactor” as far as feasibility level.
… now, that doesn’t mean one couldn’t make money while utterly failing to ultimately deliver the promised value.
I'd settle for a source analysis and reproducible builds for just our myriad open source dependencies. All it takes is a single developer to be compromised in the thousands throughout a typical stack..
I wonder if there's enough demand for a service like this to be viable. Bundled with a universal package manager, signed and verified binaries, caching mechanisms, etc.