Skip to main content

The Dependency Mirage: Hidden Vulnerabilities in Your Compiled Binaries

Craig Heffner
Craig Heffner, Senior Staff Engineer

Most organizations trust their vulnerability scanners and SBOMs to reflect reality. Unfortunately, they don’t. Our research shows that what’s declared in manifests and package managers often diverges dramatically from what’s actually running in production binaries. The result: critical vulnerabilities remain invisible to your security tools, quietly persisting inside compiled software.

This session will reveal how static linking, vendored dependencies, transitive imports, and build-time decisions create a hidden attack surface that current software composition analysis (SCA) tools miss. Drawing on real-world investigations across multiple vendors, we will demonstrate how vulnerable libraries, although not declared nor intended for inclusion, find their way into production systems. For example:

  • OpenSSL 3.0.0 was statically linked inside Python modules, even though the developer intended to include OpenSSL 3.0.7. This left exploitable vulnerabilities invisible in the final build.
  • zlib 1.2.8 was inside rsync binaries, despite package managers reporting zlib 1.3.1. The culprit: rsync’s vendored copy of zlib that survives through default build configurations.

These findings are not edge cases—they represent a systemic blind spot in the way software is written, tested, built, shipped, and secured.

We will present case studies, evidence from binary forensics, and a live demo illustrating how Binary Composition Analysis (BCA) uncovers what SCA tools miss. We’ll show attendees how to validate unexpected scanner findings, recognize patterns of hidden dependencies, and document vendor build configurations that directly impact security posture.

Key takeaways:

  • Why manifest-based scanning reflects intent, not reality.
  • How to identify statically linked and vendored code inside binaries.
  • How to work with vendors in identifying and remediating this problem.
  • Why BCA is becoming essential for securing modern software supply chains.

Attendees will learn how modern compilation pipelines make thousands of micro-decisions (symbol resolution, build flags, vendoring, code generation) that reshape the final attack surface in ways no manifest-based tool can capture.

Cookie Consent

We use cookies to improve your experience and for analytics.
Privacy Preferences
I use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want. For more details relative to cookies and other sensitive data, please read the full privacy policy.
Essential cookies
Required
Marketing cookies
Analytics cookies
Personalization cookies