Bit9

Here's one of the most brilliant illustrations of a principal software assurance problem. It is a story of a lonely burrito, and what do we really know about software in our environment? It was created by Brian Chess, Chief Scientist and Founder at Fortify Software for the May meeting of Software Assurance Forum. Full presentation can be found here. It does an amazing job of telling the story.

So what do we do when we presented with a tasty burrito? We can wonder if it is really a burrito? What is it filled with? These are easy tasks. Unwrap the tortilla and ingrediants, although mixed, will be self-evident. But does it taste good? Easy task, try the burrito and determine if you want to proceed. Yet, it is not possible to easily tell where this burrito has come from.



Burrito is a wonderful analogy for a software application. How often do we find an application on our system that looks and feels like an application, but we do not know what to do with it? If it is an installer, we can install it (hoping it is not malicious) or we could do a bit of reverse engineering to probe the internals. Then, if still curious, we could get a taste for its behavior by running it. But we still will not know where that software application has come from, baring the existance of a digital certificate.

Bit9's Global Software Registry helps you with just that, being able to tell where files and software are coming from. It is not an information that is extracted from the software itself, but matched against a trusted central repository, which by using cryptographic hashes, the digital world's equivalent of DNA matching or RFID scanning, can accurately determine where a piece of software has come from.