Entrata

Enterprise IT’s shift to the cloud and a severe shortage of technical talent is putting pressure on CISOs, CIOs and corporate risk managers. Software security updates used to be performed once a quarter. Now they happen daily. New open source dependencies are snowballing into the enterprise codebase. New vulnerabilities emerge daily. “The shift from periodic updates to continuous integration is roiling IT, and transitions can be painful. We are a part of the tool chain that achieves that transition,” says John Scott, President of Ion Channel. “Software is never done, and how much is under the water line gets progressively bigger and more difficult to assure without automation.”

Originally developed for the intelligence community, Ion Channel is a secure pipeline for thousands of software components flowing into the government from dozens of vendors. “We were forged out of necessity in very high-security environments, and we are making these capabilities commercially available in 2017,” says JC Herz, the company’s COO. “We allow our customers to apply security and governance criteria consistently and automatically across suppliers, and to risk manage and maintain that code throughout its life cycle.”

Ion Channel is a hybrid SaaS solution, providing continuous monitoring of software applications and components: version changes, vulnerabilities, dependencies, and ecosystem risks. “The data service is both human-readable and machine-readable, encrypted for security and updated hourly,” adds Scott. “It ensures that your security people don’t inadvertently reveal your vulnerabilities by running queries on the internet.” A robust API enables seamless integration with existing CI/CD workflows.

Ion Channel’s on-premises application applies Governance, Rules and Compliance (GRC) criteria to software as it’s built. Analysis includes virus scan, file type and hash validation, dependency and vulnerability mapping, licensing, version numbers and test coverage. If a software build doesn’t meet criteria for approval, Ion breaks the build and returns findings to the developer so they instantly know what to fix, instead of having to wait for a security engineer to review a spreadsheet and email them. Ion Channel produces and archives auditable records of continuous monitoring for regulatory, contract and cyber-insurance policy compliance.