Instead of focusing on discovering and reporting vulnerabilities, Panaton offers source-code level security remediation services.
Our Expertise in this Field
We instrument our clients’ codebases with automated security vulnerability scanning and fix discovered issues by working in parallel with our client’s software teams, so that planned feature releases are not delayed while working on security concerns.
With almost 30 years of experience in core C, C++, Java and .NET programming, we address your lists of security issues and vulnerability findings, and put in place the often missing security components in existing DevOps processes.
Our leverage is own unique expertise with embedded and IoT systems across various platforms from NXP, Freescale, Odroid, TI, Ricoh, Konica-Minolta and Fujitsu.
Source-code security Remediation Engagement Process
1. Start by identifying source code repositories and the programing languages and build tools used. Eliminate from scope code that is obsolete, non-essential or deemed to be of low value.
2. Based on the results from (1) select appropriate automatic analysis tools, or configure client-owned ones for the project.
3. Perform the analysis – both automation as well as manual review, including documentation review.
4. Eliminate false positives and non-essential findings and assemble report.
5. Cooperatively review report details and create a remediation plan. Design an integration of static code security analysis and 3rd party patch cadence as part of the standard DevOps process.
6. Reconcile remediation plan against already committed delivery timelines, available internal resources and budgets.
7. Perform code update / remediation & merge to appropriate branches.
12 Reasons Why to Outsource Your Code Security
Reference: Cyber Security Success Stories
Internet-Scale Port and Vulnerability Scanning
Panaton developed a distributed masscanbased system that allows us in a matter of a few hours to scan every computer on the internet and to discover every open port, while avoiding intrusion detection and prevention systems. This is accomplished by maintaining a constantly changing farm of inexpensive 3rdparty servers around the world as well as larger farms at the leading cloud providers. All autoscaling, self-healing and randomization / distribution logic was custom developed by Panaton. While this scanning platform was implemented to compete commercially with Bitsight and Security Scorecard in the area of corporate 3rdparty cyber-security risk managed, the core of the platform is a strong offensive cyber toolset.
Industrial OT/IT Converged Vulnerability Management System
Panaton staff were subcontracted to perform system integration services for American Electric Power. We integrated the CyberBit ICS/SCADA security BBX monitoring devices and central server with the existing Rapid7 Vulnerability scanning and the Tufinfirewall orchestration infrastructure. As part of the project we developed custom RSA/Archer integrations to allow auditable compliance with NERC/FERC CIP Requirements and Standards.
Enterprise CyberThreat Simulation
Panaton developed an end-to-end threat simulation environment that ingests real-time feeds of internet-wide threats, known vulnerabilities, enterprise identified vulnerabilities, network topologies, and asset classifications and then performs an on-demand simulation of compromise, given a starting asset of subnetwork and a threat vector. The implementation was built to support multinational energy companies’ infrastructure and to provide both data and visualization. Operationally the system delivered actionable guidance to IT teams that allowed them to prioritize vulnerability patching so that overall risk is minimized, given limited time and technical resources.
Third Party Risk Monitoring
Panaton developed a comprehensive 3rdparty cyber-risk management platform, with formal risk analytics, remediation, exception and mitigation management. Full workflow and management approval processes were implemented. A screenshot of one of the reports in the system is offered below.