Security Innovation is comprised of application security trailblazers - one of the first companies to focus solely on this critical aspect of Product & IT Security.
Security Innovation’s roots are in application behavior and software quality, the underlying foundation for software application security. We started as an application penetration testing company but realized that penetration testing alone was not enough to make our customers secure. As a result, we evolved our services to include assessments at each phase of he software development lifecycle (SDLC): code review, threat modeling, architecture, design review, and the development lifecycle itself. These assessments highlighted the need for developer training and standards across the SDLC.
Our most successful customers programs incorporate all three aspects of what we call “the three pillars of success” for a secure SDLC – standards, education, and assessment. In order to best serve our customers, we need to provide solutions in all three areas. This is where we stand now with TEAM Academy for development standards and education and assessment services for risk analysis, measurement and remediation.
Because Security Innovation’s solutions span assessment, standards, remediation and training, we have a unique view of the systemic causes that lead to vulnerable software. Additionally, because we develop software products ourselves, we understand the challenges of building security in, the trade-offs between functionality and security, and how to effectively take a risk-based approached to vulnerability management. This first-hand experience also equips us to “explain” complex, real-world software topics to various audiences, adjusting as needed for more/less technical staff.
As security concerns grow in the global enterprise, the need for software security focused knowledge also grows; yet, quality education in this area is very difficult to find. Our history of deep research, industry-largest training library for application security, and successful assessment to the most reputable organizations in the world (including security companies themselves) is validation of our reputation and impact in the software security space. Our products and services are backed by expert security practitioners and researchers who ensure our solutions reflect the current security landscape – software runs the world; we help you secure it.
In 2002, James Whittaker of the Florida Institute of Technology (Florida Tech) founded Security Innovation (SI) with Jason Taylor, who left Microsoft to start the company. At the time, Dr. Whittaker was chair of Florida Tech’s software engineering program, one of only 3 universities at the time with an application quality/testing degree program and the first to introduce a minor in software security.
With the publication of his top-selling book How to Break Software Security (HTBSS), Whittaker released the industry’s first public methodology for software security testing, which was adopted by organizations such as Microsoft, Adobe, McAfee, Symantec and others. Security Innovation engineers have continued to hone and refine the HTBSS methodology and related testing technologies, which continue to serve as the cornerstone of the company’s application penetration testing efforts. Additionally, the fault simulation technology Dr. Whittaker developed as part of HTBSS was the foundation of Security Innovation’s Holodeck product, the development of which was led by Jason Taylor, Security Innovation’s CTO who has been with the company since it’s inception.
In 2003, Ed Adams became the CEO of Security Innovation; he had been serving as a member of the board of directors since its inception. A year after joining, the company launched its security training and consulting services while continuing to develop products used to find security vulnerabilities in software. The company offered consulting services that found software security vulnerabilities and trained clients on how to fix them. Some of Security Innovation’s earliest clients included Microsoft, SAP, Symantec, and the Department of Homeland Security.
The different demands of its commercial and government clients precipitated Security Innovation to develop SI Government Solutions, which was spun off from the parent company in 2005 and subsequently sold to Raytheon for $31 million a few years later.
In 2007, Microsoft hired Security Innovation to develop 14 custom eLearning courses on The Microsoft SDL (Security Development Lifecycle), which is mandatory training for its thousands of software architects, engineers, and testers.
In 2008, Security Innovation received $7 million in Series A funding from Brook Venture Partners and its angel investor Gordon Burns. A year later, the company acquired NTRU Cryptosystems, a developer of advanced embedded security and encryption products.
In 2010, Security Innovation formed a strategic partnership with PCI SSC (Payment Card Industry Security Standards Council) through which it transformed PCI SSC training business to CBT (computer-based training). Later that year, the company received $2 million in Series B funding, again from the Brook Venture Partners and Gordon Burns.
In 2012, the company was chosen to lead a US/EU harmonization project regarding V2V (vehicle-to-vehicle) secure communications, a safety-of-life program sponsored by US Department of Transportation (DOT) and ETSI (European Telecommunications Standards Institute).
In 2013, Security Innovation expanded its partnership with PCI SSC to include PCI Essentials and PCI Insider security awareness training, which carries the PCI brand. Security Innovation has a three-year exclusive agreement to market and sell both courses.
In 2014, the company acquired Safelight Security Advisors, Inc., a company that develops security awareness and application security training products.
Security Innovation offers a range of services that help organizations identify and remediate problems in a portfolio of enterprise applications, a stand-alone application, or the Software Development Lifecycle (SDLC) itself.
For each service, our experts will
Each Security Innovation engineer brings a unique skillset to the team, whether it’s in a specific platform, technology, development language, industry standard, or security engineering activity. For each engagement, we match our expert(s) with the skills most needed for that assessment.
All of our software security assessments include the creation of a threat model to guide our assessment efforts and ensure that we are focusing on high-risk areas of the application.
This review identifies weaknesses in the design, requirements and goals of the software system and provides mitigation recommendations. This ensures that mistakes are identified early before they propagate into numerous and expensive code vulnerabilities. At the end of the review, our experts provide a detailed Threat Model, summary of all architectural issues, and a Risk Mitigation Plan.
This activity is foundational to all of our assessment services. We begin with an enumeration of assets and then systematically identify threats, attack vectors, and potential mitigations. Our methodology combines industry standards STRIDE and DREAD, both co-authored by our CTO, Jason Taylor, to build a living model of risks and compensating controls. The model is a persistent asset that can be updated as the application evolves or new threats are realized.
This service uses expert analysis to discover implementation-time vulnerabilities in your application code. Our team employs a combination of expert manual review and automated tools to uncover the highest risk flaws and provide remediation advice for coding errors.
Each of our engineers brings a unique skillset to the team, so code reviews may be executed against any application type (Web, mobile, embedded, client/server, etc) written it any coding language (.NET, Java, C/C++, PHP, ObjectiveC, etc)
Using proven threat modeling techniques, our experts identify the highest risk areas of your application and test the avenues of attack that hackers are most likely to target. After testing is finished, we deliver a detailed final report that includes the complete threat model, test methodology, and detailed vulnerability information that includes steps to reproduce, severity rating, and prescriptive remediation guidance. This “black box” testing is appropriate for acceptance testing and post deployment analysis, and can be applied to any type of software application.
For organizations that have hundreds or thousands of applications to secure, MAST provides a multi-tiered, subscription-based testing solution that calibrates the depth of testing and vulnerability analysis to the level of application criticality and risk. This helps ensure maximum ROI through decreased costs, shortened test cycles and reduced time-to-fix.
From Web to legacy applications and everything in between, assessments range from a deep inspection conducted by world-class security engineers, to a combination of manual/automated testing with expert verification of vulnerabilities, to a rapid automated scan with engineering analysis to remove false positives.
Our Security Team will assess your existing SDLC (Software Development Lifecycle) and identify key points within the process to integrate new or refine existing security activities. This yields a repeat- able and efficient SDLC that incorporates security at each phase, streamlines activities, maps development activities to internal or compliance mandates, and improves tool usage for team members.