Instead of focusing on discovering and reporting vulnerabilities, Panaton offers source-code level security remediation services.
Our Expertise in this Field
We instrument our clients’ codebases with automated security vulnerability scanning and fix discovered issues by working in parallel with our client’s software teams, so that planned feature releases are not delayed while working on security concerns.
With almost 30 years of experience in core C, C++, Java and .NET programming, we address your lists of security issues and vulnerability findings, and put in place the often missing security components in existing DevOps processes.
Our leverage is own unique expertise with embedded and IoT systems across various platforms from NXP, Freescale, Odroid, TI, Ricoh, Konica-Minolta and Fujitsu.
Source-code security Remediation Engagement Process
1. Start by identifying source code repositories and the programing languages and build tools used. Eliminate from scope code that is obsolete, non-essential or deemed to be of low value.
2. Based on the results from (1) select appropriate automatic analysis tools, or configure client-owned ones for the project.
3. Perform the analysis – both automation as well as manual review, including documentation review.
4. Eliminate false positives and non-essential findings and assemble report.
5. Cooperatively review report details and create a remediation plan. Design an integration of static code security analysis and 3rd party patch cadence as part of the standard DevOps process.
6. Reconcile remediation plan against already committed delivery timelines, available internal resources and budgets.
7. Perform code update / remediation & merge to appropriate branches.
12 Reasons Why to Outsource Your Code Security
Security costs extra development time. How can you address security without having to reassess your product delivery commitments?
Most programmers are not security people; they simply don’t often think like an attacker does.
Most security people are not programmers. Many CISOs are MBAs, sometimes, but not always with some security certification “letters” after their titles. 90% of “certified” information security people are in fact NOT software engineers and the majority come from sysadmin and network engineering backgrounds.
Security education is deficient. There is no curriculum that addresses computer security in most schools. Even when there is a computer security curriculum, they often don’t discuss how to write secure programs as a whole. Many such curriculum only study certain areas such as cryptography or protocols. These are important, but they often fail to discuss common real-world issues such as buffer overflows, string formatting, and input checking.
Most programming books/classes do not teach secure/safe programming techniques.
No one uses formal verification methods.
All “modern” platforms are written in C – Apache, Node.js, MySQL, Java, PHP, etc. BUT C/C++ are unsafe language(s), and the standard C library string functions are unsafe.
Modern programmers rarely think “multi-user.” They assume request/response session isolation and believe that “multi-user” comes “for free”.
Programmers are human, and humans are lazy. Thus, programmers will often use the “easy” approach instead of a secure approach – and once it works, they will avoid fixing it later.
There is lots of “broken” legacy software. Fixing this software (to remove security faults or to make it work with more restrictive security policies) is difficult to impossible.
Like an external audit, or PCI certification, we would expect independents to deliver more objectivity.
Most computer security models are terrible.
Reference: Cyber Security Success Stories
Internet-Scale Port and Vulnerability Scanning
Panaton developed a distributed masscanbased system that allows us in a matter of a few hours to scan every computer on the internet and to discover every open port, while avoiding intrusion detection and prevention systems. This is accomplished by maintaining a constantly changing farm of inexpensive 3rdparty servers around the world as well as larger farms at the leading cloud providers. All autoscaling, self-healing and randomization / distribution logic was custom developed by Panaton. While this scanning platform was implemented to compete commercially with Bitsight and Security Scorecard in the area of corporate 3rdparty cyber-security risk managed, the core of the platform is a strong offensive cyber toolset.
Industrial OT/IT Converged Vulnerability Management System
Panaton staff were subcontracted to perform system integration services for American Electric Power. We integrated the CyberBit ICS/SCADA security BBX monitoring devices and central server with the existing Rapid7 Vulnerability scanning and the Tufinfirewall orchestration infrastructure. As part of the project we developed custom RSA/Archer integrations to allow auditable compliance with NERC/FERC CIP Requirements and Standards.
Enterprise CyberThreat Simulation
Panaton developed an end-to-end threat simulation environment that ingests real-time feeds of internet-wide threats, known vulnerabilities, enterprise identified vulnerabilities, network topologies, and asset classifications and then performs an on-demand simulation of compromise, given a starting asset of subnetwork and a threat vector. The implementation was built to support multinational energy companies’ infrastructure and to provide both data and visualization. Operationally the system delivered actionable guidance to IT teams that allowed them to prioritize vulnerability patching so that overall risk is minimized, given limited time and technical resources.
Third Party Risk Monitoring
Panaton developed a comprehensive 3rdparty cyber-risk management platform, with formal risk analytics, remediation, exception and mitigation management. Full workflow and management approval processes were implemented. A screenshot of one of the reports in the system is offered below.