Software Runs the Connected World – We Secure It: Security Innovation

Today’s software doesn’t exist in isolation; it operates in a complex and hostile ecosystem that makes it vulnerable to attack from multiple points – and that we understand well. For over a decade, organizations have relied on our assessment and training solutions to make the use of software systems safer in the most challenging environments – whether in web applications, IoT devices, or the cloud.

Security Innovation’s roots are in software quality and security.  In 2002, we were launched as a consultancy focused on software security analysis for US Department of Defense and software vendors including Microsoft, Adobe, and Symantec. From this evolved training and SDLC assessments to address root causes of vulnerabilities, enabling growth into the financial services, retail, hospitality, and manufacturing industries. With the acquisition of NTRU Cryptosystems in 2009, the company added embedded and IoT security expertise and further expanded into testing “smart” devices for home, energy, and building control.

Security Innovation is trusted worldwide

Our solutions are based on the three pillars of a secure SDLC, which feed into one another to create an ecosystem of repeatable, secure software development: Standards, Education, and Assessment.

• STANDARDS & POLICIES - Secure development standards bridge the gap between InfoSec policies and development best practices. Findings from ongoing research and SDLC assessments provide a feedback mechanism from which we build security principles, coding best practices, architecture standards, and testing procedures.
• EDUCATION - Our computer-based and instructor-led training gives your teams the right skills to successfully implement secure coding standards and adhere to policy requirements.  Source content is derived from our ongoing assessments of the world’s more prolific software. 
• ASSESSMENT (Application & SDLC) - Our expert analysis provides a feedback mechanism to improve standards and identify knowledge gaps. This takes the form of static analysis, dynamic analysis, penetration testing, code reviews and SDLC audits.

Because our solutions span assessment, remediation and training, we understand the systemic causes that lead to vulnerable software. We also develop software products ourselves; thus, we understand the challenges of building security in, trade-offs between functionality and security, and how to take a risk-based approach to vulnerability management.

Software Security Assessments

Unlike others vendors that rely on scanning for broad coverage, our software security experts focus on quality coverage by calibrating the breadth (automation) and depth (experts) of testing to software risk/complexity.

Leveraging our Platform Centers of Excellence, our software security assessments range from a deep, manually intensive test to a more technology driven inspection with expert tool operation and vulnerability verification. Benefits include:

• Accurate results and zero false positive guarantee - We augment scanners with internally developedtools and techniques to hunt down vulnerabilities that evade automation, validating each one. Our tools independency ensures the right tool every time
• Superior Vulnerability Remediation IQ - Platform-and language-specific guidance ensures problems are fixed correctly. Portal provides access to our courses, experts and secure coding knowledgebase to avoid security regressions
• Any application type - Mobile, Web, cloud, IoT, Desktop, etc. We test them all at any breadth, depth or frequency
• Expertise infused into every engagement - Staff includes Microsoft MVPs, Privacy By Design Ambassadors, Apple, Adobe and Barracuda Hall of Famers; 100+ other accreditations
• Risk-based findings - We adjust vulnerability ratings based on your existing mitigating controls and defect classification/rating system.

Application Security Consulting

Most vulnerabilities are introduced before a single line of code is written. An architecture and design review casts a critical eye over the security of an application's structure and identifies weaknesses before they propagate into numerous code level vulnerabilities.

• Architecture and Design Review - Most vulnerabilities are introduced before a single line of code is written. An architecture and design review casts a critical eye over the security of an application's structure and identifies weaknesses before they propagate into numerous code level vulnerabilities.
• SDLC Gap Analysis - A well defined and secure development process significantly reduces time spent on vulnerability fixes and improves overall throughput. A secure SDLC Gap Analysis identifies key points within your SDLC to introduce or refine security activities. It also provides recommendations for improved tool usage and skills development. The result is a step-by-step roadmap to foster good security habits as part of each team member's behavior.
• Experts on Demand (EoD) - Our EoD consultants help overcome knowledge and resource gaps by advising your teams on security topics and/or implementing solutions for you – right when you need them. They serve as both a direct resource for on-demand guidance and as a trusted adviser anticipating your needs.

IoT & Embedded Security Consulting

The complexity of IoT often results in a massive attack surface. Couple that with evolving security knowledge from the manufacturers of those devices and you have a high-risk environment ripe for exploit. Our services examine your connected solutions at the physical, communications, and software levels:

• Embedded Systems: Devices that gather data and interact with the world
• Firmware: Software that runs on embedded devices
• Wired/Wireless Communications: The chipsets and protocols that connect devices to each other, IP gateways, and remote systems
• Supporting Infrastructure: Routers, switches, wireless bridges, and data aggregators
• Cloud Services: The remote servers that manage data and control devices
• Applications: The end user applications that provide access to the data or control the devices

Knowing the visionary behind Security Innovation

Ed Adams, President & CEO

Ed Adams is a software quality and security expert with over 20 years of experience in the field.  He served as a member of the Security Innovation Board of Directors since its inception in 2002 and took over as CEO in 2003. Prior to his work at Security Innovation, Ed held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.

“Security Innovation is a leader in software security, with over one-third of the Fortune 100 relying on our assessment and training solutions to protect their brands as if they were our own.”