Ion Channel is a suite of microservices that provide continuous situational awareness about software projects and automation of governance, meaning pass/fail business policy, in the CI/CD workflow. Our data platform continuously collects and optimizes data from the software supply chain – changes to open source components, vulnerabilities emerging in open-source and proprietary software, and the dynamics of open source developer communities.
Ion Channel SA (Situational Awareness) is a set of microservices driven by this externally derived data. Ion Channel SA maps defined dependencies (and their dependencies, all the way down) to known vulnerabilities and other indicators of risk, including the supply chain risk of sparse or inactive developer communities – risks that aren’t present in the code itself. In simplest terms, Ion Channel comprehensively evaluates software dependencies for bad juju then generates reports, triggers CI/CD actions, and stores the information as immutable/auditable records for downstream review or proof of continuous monitoring for compliance.
End-users can access the platform in a few different ways:
- Through a visual interface (UI) dashboard that gives a comprehensive view of a software portfolio, prioritized by risk level. This gives security engineers and risk managers a live view of the codebase as it’s built, or when the dependency profile changes.
- By subscribing to and receiving informational/delta reports for artifacts of interest in a software portfolio.
- Automated through a command-line interface (CLI) or through our application-programming interface (API). CLI/API calls can be used to trigger events in the CI/CD workflow, such as breaking the build if a project doesn’t meet governance criteria.
- By integrating Ion Channel into an existing or new continuous integration/delivery pipeline, developers can gain confidence of their external/stack dependencies by continuously evaluating package manifests against Ion Channel’s vulnerability database and ecosystem analytics.
- Ion Channel can be implemented in different deployment situations, depending on connectivity and security/protection postures. Our typical deployment is one where our stack runs internal to an enterprise, isolating all software inventory queries inside the DMZ – preventing egress of potential exploits (in terms of vulnerable software). In this scenario – Ion Channel delivers scheduled updates to the organization, to keep the internally running stack current with Ion Channel data. It is possible (and how our evaluation environment works) to utilize Ion Channel’s CLI, or API and access our analysis services directly in our ‘production’ operation. We can still work with an organization to create tunnels (VPN) to our service interfaces (in AWS) to ensure the protection of the sensitive software inventory information.
Demos and Technical Documentation
GUI front-end to Bunsen, Ion Channel’s vulnerability microservice: Type in a software package and version number and see results come back.
To request an API key, e-mail firstname.lastname@example.org
Frequently Asked Questions
What sort of analysis does Ion Channel GRC (Governance Rules and Compliance) perform against my code base?
Ion Channel GRC checks for:
- File type validation
- Hash validation
- Component versions: current or near-current (major or minor updates)
- Requisite metadata is present (ex: version numbers, licensing status, about.yaml file)
- Dependencies: the entire transitive dependency tree, including multiple versions of the same dependency
- Known vulnerabilities against open source and proprietary software dependencies
- Test coverage: Ion Channel is vendor-agnostic with regard to testing tools and can integrate the results of static and dynamic analysis, unit testing and code quality evaluation tools. Ion Channel seamlessly integrates into workflows that include SonarQube, ThreadFix, HP Fortify and other third-party capabilities.
Ion Channel applies rules within the CI/CD workflow based on the above information and other customer-defined criteria.
How does Ion Channel ensure that my data is secure?
Our infrastructure, processes and personnel culture for system and data security and integrity are paramount. We value end-to-end encryption practices (data in transit and rest), continuous monitoring and evaluation of vulnerabilities and exploits, and a delivery and operational process based multiple levels of testing and review. In addition we work with our customers to ensure any integration process meets their security requirements.
All customer data and software inventories used during the analysis of a project or projects are contained and secured within Ion Channel, ensuring any scans run will not leak any information about the software project(s) under analysis. We don’t query external systems against any customer’s inventory (e.g. project and version numbers). If a single customer were to run queries of vulnerabilities against components of their system, they’d be exposing their software inventory to the Internet. We ingest data from external sources into our controlled environment and encrypt information at rest and in transit so customer inventories are not exposed.
What security audits have been performed against Ion Channel?
Ion Channel has undergone DoD-IC Authority to Operate (ATO) review and is currently deployed on intelligence agency networks.
Does Ion Channel offer an on-premise solution?
Yes. Ion Channel is available in multiple configurations ranging from SaaS, secure-tunnel, hybrid deployments, and completely on-premises with a data subscription update to stay current. Feel free to contact us with any questions you may have.
Where does Ion Channel execute?
Ion Channel is a microservices-based architecture that splits functionality into five main components: ingest, data, APIs, CLI/UI(s), and supporting infrastructure. The Ion Channel API services run in Docker containers. Any virtualization platform that is capable of supporting Docker instances can execute the Ion Channel API. Our command line utility (CLI), which connects to the Ion Channel API, can be installed on Linux, Mac, or Windows.
What’s the installation process?
The Ion Channel API is configurable and can be up and running once the Docker images are installed. Ensuring proper DNS entries are configured prior to installation will improve the process. The Ion Channel CLI is installable through Linux package managers, or manually by downloading the appropriate executable from a URL. The configuration of the CLI (auth token) is handled by an environment variable or a configuration file.
How is it different than other ‘supply-chain’ or vulnerability tools?
Ion Channel differentiates itself in several ways. Instead of requiring the end-user to switch between multiple 3rd party tools, Ion Channel offers the end-user a single-view analysis pipeline that shows the list of transitive dependencies in their projects, all CVE vulnerabilities in that list of dependencies and other risk factors. Unlike services that stop with a scan or vulnerability alert, Ion Channel will enforce a configurable set of rules to pass/fail a build and subsequently report the information. The pipeline is automated, reducing costly manual review of code, dependencies, and vulnerabilities. With the insight gained into the project, managers and analysts can manage their acceptable level of risk prior to release in production.
Ion Channel integrates with CI/CD workflows so that vulnerability information can trigger actions within the software development workflow. Beyond supply chain visibility and situational awareness for security engineers and risk managers, Ion Channel enables if/then rules in the workflow. Unlike tools that just analyze code, Ion Channel provides ecosystem risk analysis – the open source equivalent of vendor risk ratings – to manage risk that doesn’t show up in the code or in databases of known vulnerabilities. If the community that supports a component is small, inactive or geographically risky, that’s a significant source of risk that no code scanner will detect. Many popular components in emerging software ecosystems have a single maintainer. That doesn’t make those components bad code – it just means that if a vulnerability emerges against that component and the maintainer doesn’t care about fixing it, you’ll need resources to remediate it yourself. If the open source code isn’t being maintained or updated as vulnerabilities emerge – if there’s no-one minding the store – that code is an excellent target for attack or infiltration. Ecosystem risk analysis allows you to deliberately migrate to more strongly supported components and away from unsupported components before vulnerabilities against them are made public.
Can Ion Channel integrate with my continuous integration tool?
Ion Channel can be accessed via CLI or APIs (via Curl), which can be utilized from any system building and testing software (Jenkins, Travis-CI, Circle-CI, etc.). Triggers and result handlers can be scripted to allow Ion Channels Governance, Rules and Compliance (GRC) tooling to be integrated as well – allowing conditional handling in a Pipeline (to fail/pass/notify accordingly).
Can I submit to Ion Channel my software inventory, and receive a report listing any known vulnerabilities?
Yes, Ion Channel can process different kinds of dependency manifests and inputs, returning a list of known vulnerabilities for each item in a single report (human, machine or readable by both).
Can I ‘subscribe’ to a given product and version number, getting notification/reports when a new analysis is completed to support my continuous monitoring requirements?
Yes, you can subscribe to notifications of component status or componsition changes or new information as it emerges.
Can Ion Channel report to my chat tool?
Yes, Ion Channel supports multiple chat tools including Slack, and we’re interested in adding new tools requested by our customers.
How often is Ion Channel’s data updated?
The Ion Channel platform regularly ingests data from its sources (NIST NVD, language repositories, Github, and other sources) as those sources are updated. Some systems update every two hours, some are real-time, and some complex data sources are processed on a daily basis. For remote deployments, the data delivery schedule can be negotiated as part of a service-level agreement.
How is Ion Channel different from Black Duck or Palamida?
Ion Channel is focused on the relationships between defined dependencies, transitive dependencies (known or unknown), known/reported/tracked vulnerabilities, and other ecosystem intelligence revolving around source and binary components and their software development communities. Ion Channel does not perform snippet analysis to compare chunks of your code to a corpus of open source code to detect possibly unauthorized distribution of GPL code. Because fundamental design patterns in software development mean that multiple developers will write exactly the same code to perform a specific function, snippet analysis has an extremely high false positive rate. Once those false positives exist, it is impossible to definitely prove that a chunk of code written by your developer was not copied and pasted from a piece of GPL software, which means that a firm can be legally liable for those false positives – or for destroying the false positive scan results. Ion Channel does not return hundreds or thousands of spurious matches that have to be investigated, does not create dilemmas about how to remediate matches that did not involve appropriation of GPL code, and does not create liability for false positives by generating legally discoverable false-positive scan records.
Unlike snippet-analysis code scans, Ion Channel runs continuously to eliminate gaps in situational awareness between scans. If an open source version changes or a vulnerability emerges in the wild, you’re aware of it. You also know where that information affects your software project, because the information is mapped to previous analysis of software composition. If the vulnerable component is buried in three applications, or thirty, you know exactly where they are. And you know this within hours – not days, weeks or months.
Ion Channel is a high-signal, low-noise supplement to snippet-analysis for software companies, and an alternative to snippet-analysis tools for companies that are not distributing code. It can also incorporate external test-and-evaluation results into its GRC rule evaluation capability to allow single-source policy compliance and auditing.
How is Ion Channel different from Code Climate, Gemnasium, PyUp and other SaaS tools?
While Ion Channel can be used in a similar fashion, pointing/connecting our services to a Github repository, we enable our customers to integrate their software supply-chain requirements and inventories with a higher level of operational security. Ion Channel supports non-repository based analysis of software stack inventories – monitoring for vulnerabilities for complete stack definitions. In addition, Ion Channel allows for various interconnect configurations allowing for on-premises repositories to be continuously monitored and analyzed without exposing it to any third-party (including us). Ion Channel updates those implementations with one-way encrypted transfers of full-spectrum data that’s ingested wholesale, vs. exposing customer inventories with customer-specific outbound queries.
Can Ion Channel help me support continuous auditing requirements for my mission critical application?
Yes, Ion Channel provides a “Body of Evidence” that can be used to capture/collect any and all information required for software assurance compliance and format for downstream consumption by auditors and systems analysis tooling.