Originally developed for the intelligence community, Ion Channel is a secure pipeline for thousands of software components flowing into the government from dozens of vendors. “We were forged out of necessity in very high-security environments, and we are making these capabilities commercially available in 2017,” says JC Herz, the company’s COO. “We allow our customers to apply security and governance criteria consistently and automatically across suppliers, and to risk manage and maintain that code throughout its life cycle.”
Ion Channel is a hybrid SaaS solution, providing continuous monitoring of software applications and components: version changes, vulnerabilities, dependencies, and ecosystem risks. “The data service is both human-readable and machine-readable, encrypted for security and updated hourly,” adds Scott. “It ensures that your security people don’t inadvertently reveal your vulnerabilities by running queries on the internet.” A robust API enables seamless integration with existing CI/CD workflows.
Ion Channel’s on-premises application applies Governance, Rules and Compliance (GRC) criteria to software as it’s built. Analysis includes virus scan, file type and hash validation, dependency and vulnerability mapping, licensing, version numbers and test coverage. If a software build doesn’t meet criteria for approval, Ion breaks the build and returns findings to the developer so they instantly know what to fix, instead of having to wait for a security engineer to review a spreadsheet and email them. Ion Channel produces and archives auditable records of continuous monitoring for regulatory, contract and cyber-insurance policy compliance.
We bring supply-chain intelligence to software security
Ion Channel assesses ecosystem risk - fragilities and red flags in the developer communities that support and maintain code (the open source equivalent of vendor risk). If open source components are no longer supported, if no one is minding the store, that represents a huge supply chain risk that doesn’t show up in vulnerability databases or code scanning. But it can be detected in the supply chain. Ion Channel’s roadmap includes new metrics and analytics to quantify that risk.