John Scott, PresidentEnterprise IT’s shift to the cloud and a severe shortage of technical talent is putting pressure on CISOs, CIOs and corporate risk managers. Software security updates used to be performed once a quarter. Now they happen daily. New open source dependencies are snowballing into the enterprise codebase. New vulnerabilities emerge daily. “The shift from periodic updates to continuous integration is roiling IT, and transitions can be painful. We are a part of the tool chain that achieves that transition,” says John Scott, President of Ion Channel. “Software is never done, and how much is under the water line gets progressively bigger and more difficult to assure without automation.”
Originally developed for the intelligence community, Ion Channel is a secure pipeline for thousands of software components flowing into the government from dozens of vendors. “We were forged out of necessity in very high-security environments, and we are making these capabilities commercially available in 2017,” says JC Herz, the company’s COO. “We allow our customers to apply security and governance criteria consistently and automatically across suppliers, and to risk manage and maintain that code throughout its life cycle.”
Ion Channel is a hybrid SaaS solution, providing continuous monitoring of software applications and components: version changes, vulnerabilities, dependencies, and ecosystem risks. “The data service is both human-readable and machine-readable, encrypted for security and updated hourly,” adds Scott. “It ensures that your security people don’t inadvertently reveal your vulnerabilities by running queries on the internet.” A robust API enables seamless integration with existing CI/CD workflows.
Ion Channel’s on-premises application applies Governance, Rules and Compliance (GRC) criteria to software as it’s built. Analysis includes virus scan, file type and hash validation, dependency and vulnerability mapping, licensing, version numbers and test coverage.
JC Herz, COOIf a software build doesn’t meet criteria for approval, Ion breaks the build and returns findings to the developer so they instantly know what to fix, instead of having to wait for a security engineer to review a spreadsheet and email them. Ion Channel produces and archives auditable records of continuous monitoring for regulatory, contract and cyber-insurance policy compliance.
“One of Ion’s core value propositions is freeing up engineering and security staff so they can be more effective,” explains Scott. “Automating GRC allows them to stay current, raise the bar for security and focus on risk management strategically, not as a fire drill.” One such example is Ion Channel’s largest customer in the intelligence community, which has increased the speed and scale of software they can ingest and ATO (approve to operate) with a fraction of the manpower necessary for human-in-the-loop review. “We have taken their time for approval down from multiple quarters to weeks,” says Scott.
We bring supply-chain intelligence to software security
Ion Channel assesses ecosystem risk - fragilities and red flags in the developer communities that support and maintain code (the open source equivalent of vendor risk). If open source components are no longer supported, if no one is minding the store, that represents a huge supply chain risk that doesn’t show up in vulnerability databases or code scanning. But it can be detected in the supply chain. Ion Channel’s roadmap includes new metrics and analytics to quantify that risk.