NetRise launches AI tool to spot unknown software weaknesses

Today

NetRise has announced the launch of NetRise ZeroLens, an AI-powered cybersecurity product designed to help organisations and device manufacturers identify undisclosed software weaknesses before they are exploited.

The new product expands the capabilities of NetRise's software supply chain security platform, which creates a software asset inventory and uses binary composition analysis (BCA) to detect risks in compiled code - software that is actually running on devices and systems. BCA is a technique allowing the identification of vulnerabilities not typically found by traditional vulnerability scanners or source code analysis.

NetRise ZeroLens specifically focuses on analysing compiled code for common weaknesses (CWEs) that have not yet been classified as vulnerabilities. Integrating artificial intelligence, the product summarises detected CWEs and provides remediation guidance by evaluating the context of the code where weaknesses are found.

Thomas Pace, Chief Executive Officer of NetRise, stated, "By identifying weaknesses in code already running on devices that are critical to the enterprise, NetRise ZeroLens provides CISOs and their teams a path to rapid detection and mitigation before those weaknesses are exposed as vulnerabilities. The cybersecurity market has been begging for proactive vulnerability identification instead of constantly operating in a reactive model. NetRise ZeroLens is proactive vulnerability identification at scale."

Key benefits highlighted by NetRise include enhanced risk quantification, as ZeroLens identifies previously unknown weaknesses in binary software, enabling improved risk management decisions. For security researchers and red teams, ZeroLens aims to enable the concurrent upload and analysis of thousands of binaries, reducing the burden traditionally associated with manual analysis. Additionally, device manufacturer product security teams are given new options for proactively detecting and prioritising code weaknesses before exploitation.

Garrett Schumacher, Business Unit Director, Product Security at Velentium Medical, commented on the significance for the medical sector, stating, "Nearly all of the medical devices whose security we ensure run on firmware. NetRise ZeroLens gives us the ability to test software that other static analysis tools don't handle well, for instance where no industry standard or insufficient rulesets for secure coding exist. We will use NetRise ZeroLens to enforce CWE analysis on such projects in addition to NetRise's supply chain security offerings."

NetRise ZeroLens does not only identify weaknesses but also uses its AI capabilities to generate summaries that advise on mitigation measures. Michael Scott, Chief Technology Officer at NetRise, explained, "NetRise ZeroLens provides researchers and developers specific guidance based on its findings. For example, if the tool finds a buffer overflow, the summary looks at the functions within the code, contextual usage, and can determine whether the input is user-supplied or static, informing and advising accordingly."

The background of zero-day vulnerabilities, such as the Log4j incident, underscores the demand for tools capable of early detection. The Log4j vulnerability, discovered in December 2021, impacted nearly 90% of global enterprises, with further analysis indicating that two years on, approximately 38% of organisations still utilised vulnerable versions of the software library in question.

Pace reflected on the broader intent behind the new product, adding, "NetRise ZeroLens builds on our founding vision by adding to the software asset inventory a look beyond vulnerabilities to finding weaknesses that have yet to be exploited by bad actors. This enhanced context allows for better understanding of risk within the organisation and proactive planning to mitigate that risk."

Share on: