Software Supply Chain Product Security

Think Your Source Code Is Secure? Check Your Firmware

2 min read

Jun 2, 2025 10:30:00 AM

Your source code might be clean, but your firmware is a party full of strangers. And some brought vulnerabilities, both known and unknown.

Why Source Code Isn’t the Final Word

We’ve all heard it: "We scan the source. We're good." But are we? Not quite.

In reality, what you write and what ends up running on a device are rarely the same thing. Compilers optimize, build environments inject configs, and developers sometimes cut corners ( this is my shock and awe face). The result? Code mutations you didn’t see coming.

Compilation is Transformation

Think of source code like a movie script. What ends up on screen—the firmware—is the director’s cut. Scenes are edited, characters change, and sometimes a surprise actor shows up uncredited.

Compilers strip symbols
Build scripts swap dependencies
Optimization settings remove or morph intended logic
Static libraries get bundled in, sometimes without even telling you

Bottom line? By the time your firmware is built, it might be something very different from what you wrote.

Binaries Don’t Lie, But They Don’t Talk Easy

If you want the truth, you need to analyze the binaries themselves. And that means digging deep:

Reverse Engineering to recover function names, structures, and linked libraries
Signature Matching to identify known vulnerabilities in stripped or obfuscated code
Reachability Analysis to determine if vulnerable code paths are actually accessible at runtime

Traditional scanners don’t do this. They either fail outright or stop at surface-level inspection.

Case Study: GRIPE vs. Finite State

We tested an intentionally vulnerable firmware (IoT Goat) with a traditional container scanner. It flagged 247 issues. Not bad, right?

Then we ran it through a binary-level analysis with the Finite State platform.

Result? Almost 7,000 findings. Including:

Critical CVEs missed by the first scan
Hardcoded credentials
Crypto material
Deeply buried, exploitable logic flaws

The truth was buried in the binaries. And most tools didn’t even bother to dig. We don’t fault them for that, it’s just not what they were designed to do - and gives us a false sense of security.

Why It Matters

Regulations Are Coming (Or Are Already Here): Cyber Resilience Act, Cyber Trust Mark, FDA 524B... they want transparency and real risk assessments.
Attackers Don’t Care About Your Source Code: They go after what runs.
SBOM Accuracy Depends on Reality: And reality lives in your firmware, not your IDE.

Take Action

Include binary analysis in your CI/CD. Yes, it’s possible. Yes, it scales.
Scan your firmware, not just your codebase. Bonus: you catch your suppliers’ mistakes, too.
Correlate code-level intent with binary-level output. See if what you meant is what you shipped.

Explore what's next for IoT security Catch the full discussion from our recent webinar, “The Future of IoT Security,” featuring cybersecurity expert Larry Pesce — now available on-demand.

Final Word

Your source code might tell a beautiful story, but attackers read your firmware. If you’re not analyzing your binaries, you’re leaving your devices open to surprise plot twists. And in IoT security, surprise is rarely good.

Next up: Open source love and liability—what happens when your third-party components turn against you.

Share this

Previous story

← Shellfish, SBOMs, and Firmware: A Security Tale You Won’t Forget

Next story

The Open Source Trojan Horse — Hidden Risk in Reused Code →