Customers are under more pressure to understand what is inside the software they use. That includes commercial software, firmware, containers, legacy applications, and third-party products. They need help verifying software risk, not just trusting vendor-provided SBOMs, questionnaires, or source-code scans.
NetRise is trying to help partners do that. The Austin, Texas-based software supply chain security company has launched its
Discovery Partner Program for VARs, MSSPs, distributors, systems integrators, technology alliances, and strategic consultants.
The program expands partner access to the NetRise Platform and NetRise Provenance. NetRise analyzes compiled software artifacts, including binaries, firmware, containers and applications, to find components and risks that may not show up in source-code scans, vendor questionnaires or vendor-provided software bills of materials.
What makes the program different
NetRise is positioning the program around one core gap: many security tools depend on source code, vendor attestations, or known vulnerabilities. NetRise says it takes a different approach by analyzing the compiled artifact itself.
Robbie Robbins, vice president of business development and strategic alliances at NetRise, told ChannelE2E,
“The core differentiator of NetRise and its Discovery Partner Program boils down to one reality: NetRise analyzes the compiled artifact - the binary - not the recipe - the source code - or the paperwork - the vendor-provided SBOM."
That is important for partners working with customers that buy commercial software, run legacy applications, use embedded devices or depend on third-party platforms where source code is not available. With NetRise, partners can inspect compiled binaries, Windows applications, containers and firmware to build a more complete component map. They can also compare vendor-provided SBOMs against what is actually present in the software.
“Partners can take a vendor’s provided Software Bill of Materials and run it through NetRise to prove where it is missing dependencies, outdated or flat-out wrong,” Robbins said. “Other tools rely on what the developer intended to build. NetRise looks at what actually executes.”
Filling a third-party risk gap
The partner program also gives NetRise a way to sit alongside vulnerability management, third-party risk management, and compliance tools. For MSSPs and security partners that can support incident response and exposure management. It also helps move the customer conversation beyond long vulnerability lists and toward clearer questions: Which assets are affected? Is the component reachable? What should be fixed first?
“NetRise fills a gap that exists in other products, such as vulnerability management products and third-party risk management products, to add a layer of protection not afforded by those products,” Robbins said. “The gap exists because the component identification delivered by those products is incomplete.”
That gap becomes more serious during software supply chain incidents. When a package or library is compromised, security teams need to know where that component exists across the software they use. If the inventory is incomplete, the response takes longer.
NetRise analyzes compiled code and creates a software asset inventory. NetRise Provenance can then help identify components affected by a compromised package or library.
Beyond CVEs
Software supply chain risk is bigger than published vulnerabilities. A product may have exposed secrets, weak configurations or cryptographic issues even when there is no matching CVE. NetRise is also focused on risks that do not always appear in standard CVE-driven workflows.
“Most supply chain vendors only map known vulnerabilities,” Robbins said. “NetRise uncovers intent-based and configuration risks hidden inside the binary, such as hard-coded credentials, leaked private keys, expired cryptographic certificates, and malicious backdoor artifacts.”
How the program is structured
The Discovery Partner Program is built around three areas: channel and distribution growth, technology ecosystem alliances, and federal and strategic consulting partnerships.
The channel and distribution track focuses on VARs, MSSPs, and distributors. The technology alliance track is for complementary solutions and integrations. The federal and strategic consulting track is aimed at government and regulated industries, where software supply chain visibility is becoming a bigger procurement and compliance issue.
NetRise is launching with two partner tiers. Accelerator Partners are organizations that invest in training and show consistent sales success. Vanguard Partners are top-tier partners that exceed revenue goals, bring advanced technical expertise and advocate for NetRise in their markets.
The tiering gives NetRise a way to separate partners that mainly resell from partners that can design, implement and support more complex software supply chain security programs.
Integrations matter
Security buyers already manage large tool stacks. Partners often face resistance when they bring in another platform. NetRise is trying to address that by delivering findings through its own interface and through workflow integrations.
“NetRise delivers its findings and recommendations via its own UI and also offers WebHooks, allowing customers to embed the findings in the tools it uses to manage and remediate risk,” Robbins said. “We also offer integrations with Nucleus, ServiceNow, and Jira, for example, to manage workflows.”
Findings need to move into the tools customers already use for ticketing, remediation, risk tracking and vulnerability management. Otherwise, software supply chain data can become another report that sits outside daily operations.
“The key here is that NetRise integrates into other solutions, avoiding the objection that we’re just another point solution,” Robbins said.
Services partners can build
NetRise says partners can use the platform for third-party risk reporting, device assessments, threat hunting, penetration testing, vulnerability and patch management, product security as a service, and attack surface management audits.
Robbins said the platform is also suited for recurring service revenue because it is cloud-based and highly automatable.
“Partners can wrap NetRise into actionable, outcome-driven offerings,” he said.
One example is a vendor risk and software procurement audit. Before a customer signs a major contract for a new application, enterprise platform or networking product, a partner can run the vendor’s software binaries through NetRise.
The result is a risk validation report before the deal is signed. That gives procurement and security teams more leverage. They can ask for fixes, negotiate based on identified risk, delay deployment or walk away from a high-risk vendor.
Another opportunity is continuous SBOM and software supply chain support. Partners can offer a managed service that ingests, updates and monitors a customer’s software estate, including internal builds, cloud containers and operational technology.
That can help customers maintain more accurate SBOMs without putting all the work on internal engineering teams.
A third opportunity is vulnerability prioritization and reachability assessment. Instead of giving customers a long spreadsheet of vulnerabilities, partners can use NetRise to focus on the weaknesses most likely to matter.
“Instead of handing a customer a spreadsheet of 10,000 vulnerabilities, the partner uses NetRise’s auto-run and reachability analysis to filter out the noise,” Robbins said. “They deliver an actionable ‘Top 20 Critical Weaknesses’ list.”
That can help reduce remediation time and keep security and development teams from spending time on vulnerabilities that may not execute at runtime.
As more organizations try to understand the software they build, buy and run, SBOMs, third-party risk reviews and vulnerability management are becoming more common. But many customers still lack a full view of compiled software and firmware. NetRise wants partners to help close that gap. For MSSPs, that means adding software supply chain visibility to managed security, exposure management and incident response services. For MSPs and VARs, the strongest opportunity may be assessments, procurement risk reviews and compliance services. For systems integrators and consultants, NetRise can support larger product security work, especially in federal and regulated industries.
