Originally developed for the intelligence community, Ion Channel is a secure pipeline for thousands of software components flowing into the government from dozens of vendors. “We were forged out of necessity in very high-security environments, and we are making these capabilities commercially available in 2017,” says JC Herz, the company’s COO. “We allow our customers to apply security and governance criteria consistently and automatically across suppliers, and to risk manage and maintain that code throughout its life cycle.”
Ion Channel is a hybrid SaaS solution, providing continuous monitoring of software applications and components: version changes, vulnerabilities, dependencies, and ecosystem risks. “The data service is both human-readable and machine-readable, encrypted for security and updated hourly,” adds Scott. “It ensures that your security people don’t inadvertently reveal your vulnerabilities by running queries on the internet.” A robust API enables seamless integration with existing CI/CD workflows.
Ion Channel’s on-premises application applies Governance, Rules and Compliance (GRC) criteria to software as it’s built. Analysis includes virus scan, file type and hash validation, dependency and vulnerability mapping, licensing, version numbers and test coverage.
We bring supplychain intelligence to software security
“One of Ion’s core value propositions is freeing up engineering and security staff so they can be more effective,” explains Scott. “Automating GRC allows them to stay current, raise the bar for security and focus on risk management strategically, not as a fire drill.” One such example is Ion Channel’s largest customer in the intelligence community, which has increased the speed and scale of software they can ingest and ATO (approve to operate) with a fraction of the manpower necessary for human-in-the-loop review. “We have taken their time for approval down from multiple quarters to weeks,” says Scott.
Ion Channel assesses ecosystem risk - fragilities and red flags in the developer communities that support and maintain code (the open source equivalent of vendor risk). If open source components are no longer supported, if no one is minding the store, that represents a huge supply chain risk that doesn’t show up in vulnerability databases or code scanning. But it can be detected in the supply chain. Ion Channel’s roadmap includes new metrics and analytics to quantify that risk.