How to communicate security issues to vendors
This guide outlines a general workflow for enterprise buyers to communicate with their software vendors about resolving critical issues detected by the Spectra Assure Portal during analysis.
In this context, an enterprise buyer is any organization that receives third-party commercial software from an external software producer (vendor) and/or implements that software as part of its own software supply chain.
Third-party commercial software can include: compiled binaries, internal components of an application (and their dependencies), runtime dependencies, software containers, and other supported software distribution formats.
This guide relies on the report sharing feature available in the Spectra Assure Portal. Report sharing is supported only in Portal Projects, not in the File Stream.
Workflow overview:
- Analyze software with the Spectra Assure Portal
- Verify issues in the analysis report
- Decide which issues to communicate to vendors
- Share the analysis report with vendors
When and why to use this guideโ
The workflow suggested in this guide should be incorporated into your continuous third-party risk assessment processes. You can also use it as part of procurement and compliance reporting activities.
Communication between you and your vendors is meant to be mutually beneficial.
The goal is to help you:
- Confirm the relevance of detected issues and ensure you aren't over-reporting risk
- Reduce your overall software supply chain attack surface
- Maintain constructive relationships with vendors and establish feedback loops
- Meet your compliance and third-party security risk requirements
while helping your vendors:
- Understand and align with your security expectations
- Fulfill their contractual obligations and responsibilities
- Allocate resources and prioritize resolving issues
- Proactively address other potential issues
The most common scenario for sharing analysis reports with external software vendors is to follow up on failing issues in the report and discuss their remediation. By default, failing issues are usually policy violations with P0 priority. However, your use-cases may require different risk appetites and tolerances. This is why the default policy configuration can be modified to suppress or raise risk alarms for different types of issues.
Before proceeding with any communication, it's important to adopt a tactical approach. Avoid sharing analysis reports indiscriminately. Escalate issues to vendors according to the existing thresholds established in your third-party risk assessment management program.
ReversingLabs recommends contacting your vendors only when failing issues are detected. The Critical issues to communicate section lists specific policy violations you should point out to the vendors when sharing your reports with them.
In some cases it's advisable to contact ReversingLabs for help. Specifically, our Support can help you verify true positive malware detections and some types of tampering. Check the Contact ReversingLabs Support section for instructions.
Prerequisitesโ
To successfully share analysis reports with your software vendors, you need:
An active Spectra Assure Portal user account. If you don't already have a Portal account, you may need to contact the administrator of your Portal organization to invite you. Alternatively, if you're not a Spectra Assure customer yet, you can sign up for a free trial.
Any of the following roles assigned to your Portal user account: Organization Administrator, Organization Security, Group Owner. Report sharing is only available to users with those roles.
Access to the Portal Projects, where you have to upload the software for analysis. You can do this directly through the web interface, or with the Portal API, or by using the Portal Docker image and any of the Portal integrations. If you want to share the report for software previously analyzed in the File Stream, you must first move it to Projects.
1. Assess the reportโ
To evaluate the results after analyzing the software:
Access the report in the web interface of your Portal instance.
Focus on failing issues in the report. The report summary page highlights the most important ones in the Issues section.
Select the Failed button in the Issues section to show only the issues with the CI/CD
FAILstatus. Alternatively, access the Issues page from the sidebar on the left and use the Add Filter button to apply your own criteria for displaying issues.Expand every issue to view specific files where it was detected. Select the file name to view more details about each affected file.
Use the detailed file information to verify the file origin and to confirm which of the affected files in the software come from which vendor. You can copy relevant file names, paths, or hashes from the report into a separate note for later reference.
Critical issues to communicateโ
Depending on software licenses, the risk type and issue complexity, you may be able to remediate some of the detected issues on your own (e.g. by applying patches or reconfiguring your systems).
Before contacting any of the vendors, it's important to determine that detected issues are in fact present in your environment, and correctly estimate the risk they pose.
Your service agreement with a vendor may have restrictions on issue reporting and resolution. Even if such restrictions are in place, there is still a number of critical issues that warrant contacting the vendor.
The following table lists specific issues (policy violations) that you should always communicate to vendors.
| Risk type | Policy violations |
|---|---|
| Malware detected | SQ20110 - Detected digital signatures that contain a blacklisted certificate. SQ20113 - Detected digital signatures that contain a certificate trying to impersonate a trusted publisher. SQ30104 - Detected presence of malicious files by a dedicated signature. SQ30105 - Detected presence of known software supply chain attack artifacts. SQ30106 - Detected presence of malicious files by a YARA signature. SQ30107 - Detected presence of malicious files by a heuristic signature. SQ30108 - Detected presence of malicious files by a machine learning algorithm. SQ30109 - Detected presence of malicious files through analyst-vetted file reputation. SQ30110 - Detected presence of malicious files through file reputation or third-party scanners. SQ30118 - Detected presence of structural file format exploits. |
| Tampered signatures | SQ30113 - Detected presence of suspicious files due to failure in signed integrity validation checks. SQ20115 - Detected digital signatures that are failing integrity validation check. |
| Unprotected keys | SQ34102 - Detected presence of private SSH keys. SQ34106 - Detected presence of private PGP keys. SQ34107 - Detected presence of private certificates. |
| Source code leaks | SQ34201 - Detected presence of version control tool artifacts. |
| CVE patching mandates | SQ31101 - Detected presence of patch mandated vulnerabilities. |
You can quickly check if any of these issues are present in your analysis report by directly searching for their policy ID:
Access the Issues page in the report and select Add Filter.
Select Filter by Issue. Set the Operator to "is" and the Value to any of the policy IDs from the table, then click Save.
There may be other high priority issues detected by Spectra Assure in your report.
You may decide to communicate them to vendors based on your security policies and vendor obligations stipulated in your contracts. However, ReversingLabs recommends communicating only this limited set of issues to maximize the benefits of report sharing and optimize issue remediation.
2. Share the reportโ
To share the analysis report:
Open the report in the web interface of your Portal instance.
Use the Share Report button at the top right of the report to get a shareable link. Follow the report sharing guide for detailed instructions.
Copy the shareable link for the report to send it manually to anyone. Link sharing can also be done directly from the report sharing dialog. Keep in mind that shareable links expire and can be revoked by other Portal users, so you can't reuse them indefinitely.
Repeat this procedure for as many software versions you need.
Depending on the types of issues in your report, either send the link(s) to your software vendors or to ReversingLabs support.
Communicate with software vendorsโ
The details of your communication with third-party software vendors will be regulated by your contracts, service agreements, and any other obligations in place.
Because of this, there is no one-size-fits-all approach to recommend.
However, you can follow some general best practices when communicating with vendors:
- If possible, reach out to your assigned technical point of contact instead of sending a general support request.
- Respect your organization's and your vendor's confidentiality and data privacy policies when sharing reports.
- Ask vendors for confirmation and clarity around specific issues.
- Agree on expected timelines, action items, and next steps in resolving the issues.
Contact ReversingLabs Supportโ
You can contact ReversingLabs Support for assistance with verifying a limited set of issues in your analysis reports.
Specifically, we can verify true positives for:
- malware
- tampering
If your report contains any of those issues, send an email with the report link to ReversingLabs Support. You can use the following template for the email. Feel free to expand the template with more details relevant to your case.
Subject: True positive verification request
Body:
Hello,
I am [your name] from [your company, organization or other affiliation]
and I would like to request verification of security issues in my Spectra Assure analysis report.
The report link: [copy and paste your report link here]
Thanks,
[your signature]
Keep in mind that in some cases, ReversingLabs Support may directly access the analyzed software on your Portal instance to fulfill your request.