Finite State Blog

Think Your Source Code Is Secure? Check Your Firmware First

Written by Larry Pesce | Jun 2, 2025 2:30:00 PM

Your source code might be clean, but your firmware is a party full of strangers. And some brought vulnerabilities, both known and unknown.

Why Source Code Isn’t the Final Word

We’ve all heard it: "We scan the source. We're good." But are we? Not quite. 

In reality, what you write and what ends up running on a device are rarely the same thing. Compilers optimize, build environments inject configs, and developers sometimes cut corners ( this is my shock and awe face). The result? Code mutations you didn’t see coming.

 

Compilation is Transformation

Think of source code like a movie script. What ends up on screen—the firmware—is the director’s cut. Scenes are edited, characters change, and sometimes a surprise actor shows up uncredited.

  • Compilers strip symbols
  • Build scripts swap dependencies
  • Optimization settings remove or morph intended logic
  • Static libraries get bundled in, sometimes without even telling you

Bottom line? By the time your firmware is built, it might be something very different from what you wrote.

 

Binaries Don’t Lie, But They Don’t Talk Easy

If you want the truth, you need to analyze the binaries themselves. And that means digging deep:

  • Reverse Engineering to recover function names, structures, and linked libraries
  • Signature Matching to identify known vulnerabilities in stripped or obfuscated code
  • Reachability Analysis to determine if vulnerable code paths are actually accessible at runtime

Traditional scanners don’t do this. They either fail outright or stop at surface-level inspection.

 

Case Study: GRIPE vs. Finite State

We tested an intentionally vulnerable firmware (IoT Goat) with a traditional container scanner. It flagged 247 issues. Not bad, right?

Then we ran it through a binary-level analysis with the Finite State platform.

Result? Almost 7,000 findings. Including:

  • Critical CVEs missed by the first scan
  • Hardcoded credentials
  • Crypto material
  • Deeply buried, exploitable logic flaws

The truth was buried in the binaries. And most tools didn’t even bother to dig. We don’t fault them for that, it’s just not what they were designed to do - and gives us a false sense of security.

 

Why It Matters

  • Regulations Are Coming (Or Are Already Here): Cyber Resilience Act, Cyber Trust Mark, FDA 524B... they want transparency and real risk assessments.
  • Attackers Don’t Care About Your Source Code: They go after what runs.
  • SBOM Accuracy Depends on Reality: And reality lives in your firmware, not your IDE.

 

Take Action

  1. Include binary analysis in your CI/CD. Yes, it’s possible. Yes, it scales.
  2. Scan your firmware, not just your codebase. Bonus: you catch your suppliers’ mistakes, too.
  3. Correlate code-level intent with binary-level output. See if what you meant is what you shipped.

Final Word

Your source code might tell a beautiful story, but attackers read your firmware. If you’re not analyzing your binaries, you’re leaving your devices open to surprise plot twists. And in IoT security, surprise is rarely good.

Next up: Open source love and liability—what happens when your third-party components turn against you.
View full post