Your source code might be clean, but your firmware is a party full of strangers. And some brought vulnerabilities, both known and unknown.
Why Source Code Isn’t the Final Word
We’ve all heard it: "We scan the source. We're good." But are we? Not quite.
In reality, what you write and what ends up running on a device are rarely the same thing. Compilers optimize, build environments inject configs, and developers sometimes cut corners ( this is my shock and awe face). The result? Code mutations you didn’t see coming.
Compilation is Transformation
Think of source code like a movie script. What ends up on screen—the firmware—is the director’s cut. Scenes are edited, characters change, and sometimes a surprise actor shows up uncredited.
- Compilers strip symbols
- Build scripts swap dependencies
- Optimization settings remove or morph intended logic
- Static libraries get bundled in, sometimes without even telling you
Bottom line? By the time your firmware is built, it might be something very different from what you wrote.
Binaries Don’t Lie, But They Don’t Talk Easy
If you want the truth, you need to analyze the binaries themselves. And that means digging deep:
- Reverse Engineering to recover function names, structures, and linked libraries
- Signature Matching to identify known vulnerabilities in stripped or obfuscated code
- Reachability Analysis to determine if vulnerable code paths are actually accessible at runtime
Traditional scanners don’t do this. They either fail outright or stop at surface-level inspection.
Case Study: GRIPE vs. Finite State
We tested an intentionally vulnerable firmware (IoT Goat) with a traditional container scanner. It flagged 247 issues. Not bad, right?
Then we ran it through a binary-level analysis with the Finite State platform.
Result? Almost 7,000 findings. Including:
- Critical CVEs missed by the first scan
- Hardcoded credentials
- Crypto material
- Deeply buried, exploitable logic flaws
The truth was buried in the binaries. And most tools didn’t even bother to dig. We don’t fault them for that, it’s just not what they were designed to do - and gives us a false sense of security.
Why It Matters
- Regulations Are Coming (Or Are Already Here): Cyber Resilience Act, Cyber Trust Mark, FDA 524B... they want transparency and real risk assessments.
- Attackers Don’t Care About Your Source Code: They go after what runs.
- SBOM Accuracy Depends on Reality: And reality lives in your firmware, not your IDE.
Take Action
- Include binary analysis in your CI/CD. Yes, it’s possible. Yes, it scales.
- Scan your firmware, not just your codebase. Bonus: you catch your suppliers’ mistakes, too.
- Correlate code-level intent with binary-level output. See if what you meant is what you shipped.