Professional Services Overview Internet of Things (IoT) Security Assessment and Advisory Services IOT APPLICATION MOBILE CLOUD NETWORK
Company Overview HISTORY HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded Profitable since inception Healthcare Technology ATTRIBUTES ATTRIBUTES Superior technical prowess Comprehensive reporting Trusted business acumen Time-tested methodologies Energy FOCUSED ON FORTUNE 1,000 & VENTURE-BACKED STARTUPS Finance PROPOSITION PROPOSITION Praetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with time-to-market pressures. Manufacturing Automotive 2
Internet of Things (IoT) Security Assessments, from Chip to Cloud IOT WEB MOBILE EMBEDDED DEVICES APPLICATIONS CLOUD NETWORK ICS Identify physical and logical security threats to the embedded systems in IoT product ecosystem. We actively analyze web and mobile applications for any weaknesses, technical flaws, or vulnerabilities. PROFESSIONAL SECURITY EVALUATIONS Penetration Testing Run-time Analysis DEVICE FIRMWARE We help ensure hardware and chip makers have sufficiently addressed IoT firmware insecurities. INTERNET OF THINGS END-TO-END SECURITY CLOUD SERVICES It is critical that cloud services and APIs be tested to determine whether they can be abused by attackers. Reverse Engineering Binary Analysis Code Reviews Threat Modeling Device Testing Static Analysis Design Analysis Hardware Analysis WIRELESS PROTOCOLS Validate security and configuration of wireless communication such as ZigBee, 6LoWPAN, and BLE. INFRASTRUCTURE Is backend network infrastructure that is supporting your Internet of Things product ecosystem secure? GET STARTED (800) 675-5152 info@praetorian.com www.praetorian.com Guided by OWASP Application Security Verification Standard (ASVS) Gain confidence that your Internet of Things (IoT) devices and data are secure Praetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with timeto-market pressures. Our solutions provide coverage across technological domains, including embedded devices, firmware, wireless communication protocols, web and mobile applications, cloud services and APIs, and back-end network infrastructure. 3
Professional Security Assessment Services Overview IOT WEB MOBILE CLOUD NETWORK ICS PROFESSIONAL SECURITY EVALUATIONS Penetration Testing Reverse Engineering Code Reviews Threat Modeling Device Testing Run-time Analysis Binary Analysis Static Analysis Design Analysis Hardware Analysis GET STARTED (800) 675-5152 info@praetorian.com www.praetorian.com Guided by OWASP Application Security Verification Standard (ASVS) Based on IEEE Computer Society estimates 4
OWASP Application Security Verification Standard (ASVS) IOT WEB MOBILE CLOUD NETWORK ICS Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application. PROFESSIONAL SECURITY EVALUATIONS LEVEL 0 Cursory Level 0 (or Cursory) is an optional certification, indicating that the application has passed some type of verification. Penetration Testing Run-time Analysis Reverse Engineering Code Reviews Threat Modeling Binary Analysis Static Analysis Design Analysis LEVEL 1 Opportunistic Level 1 (or Opportunistic) certified applications adequately defend against security vulnerabilities that are easy to discover. Device Testing Hardware Analysis LEVEL 2 Standard Level 2 (or Standard) verified applications adequately defend against prevalent security vulnerabilities whose existence poses moderate-to-serious risk. GET STARTED (800) 675-5152 info@praetorian.com www.praetorian.com Guided by OWASP Application Security Verification Standard (ASVS) LEVEL 3 Advanced Level 3 (or Advanced) certified applications adequately defend against advanced security vulnerabilities, and demonstrate principles of good security design. 5
OWASP Application Security Verification Standard (ASVS) IOT WEB MOBILE CLOUD NETWORK ICS Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application. OWASP ASVS defines the following security requirements areas: PROFESSIONAL SECURITY EVALUATIONS Penetration Testing Run-time Analysis Reverse Engineering Binary Analysis Code Reviews Static Analysis Threat Modeling Design Analysis Authentication Session Management Access Control Communications Security HTTP Security Malicious Controls Device Testing Hardware Analysis Malicious Input Handling Business Logic Cryptography at Rest File and Resource GET STARTED (800) 675-5152 info@praetorian.com www.praetorian.com Guided by OWASP Application Security Verification Standard (ASVS) Error Handling and Logging Data Protection Mobile Embedded Devices NEW 6
OWASP ASVS for Internet of Things (IoT) Testing Coverage Matrix Security Control Group Level 1: Opportunistic Level 2: Standard Level 3: Advanced Architecture, Design, Threat Modeling 1 / 11 8 / 11 11 / 11 Authentication Controls 17 / 26 24 / 26 26 / 26 Session Management Controls 11 / 13 13 / 13 13 / 13 Access Control 7 / 12 11 / 12 12 / 12 Malicious Input Handling 10 / 21 20 / 21 21 / 21 Cryptography at Rest Controls 2 / 10 7 / 10 10 / 10 Error Handling & Logging Controls 3 / 13 9 / 13 13 / 13 Data Protection Controls 4 / 11 8 / 11 11 / 11 Communications Security Controls 7 / 13 9 / 13 13 / 13 To help product teams address emerging security challenges, Praetorian has created research-driven evaluation methodologies that incorporate guidance from the OWASP Application Security Verification Standard (ASVS), which normalizes the range in coverage and level of rigor applied to each application. With its 3 levels of testing rigor, 17 security control categories, and 211 defined test cases, this approach allows our team to meet your unique testing and budget goals by offering tiered pricing based on the comprehensiveness of the security review. HTTP Security Controls 6 / 8 8 / 8 8 / 8 Malicious Controls 0 / 2 0 / 2 2 / 2 Business Logic Controls 0 / 2 2 / 2 2 / 2 Files and Resources Controls 7 / 9 9 / 9 9 / 9 Mobile Controls 7 / 11 10 / 11 11 / 11 Web Services Controls 7 / 10 10 / 10 10 / 10 Configuration Controls 1 / 10 5 / 10 10 / 10 Embedded Device Controls NEW 10 / 29 20 / 29 29 / 29 Excellent Good Fair Inadequate Coverage Key OWASP ASVS defines specific test cases that are in scope for each ASVS Level 7
The Diana Platform Continuous Security Unified Through Software Extends security evaluations that represent a single, snapshot in time with Diana s subscription model that offers continuous security analysis Using multiple analysis methods to identify new vulnerabilities introduced by incremental code movement, Diana is designed to provide on-going, comprehensive, and efficient security coverage The Diana Platform enables you to: Track vulnerabilities to closure from identification to remediation Benchmark your results over time and across application portfolio Integrate with 3rd-party bug tracking software and CI/CD pipeline EXPORT Bug Tracking 8
Gain confidence that your Internet of Things devices and data are secure. We help product teams focus on innovation by helping solve their complex security challenges. Learn More About Our Approach and expertise https://www.praetorian.com/expertise/internet-of-things EXCELLENCE IN SERVICE Find out why 97% of our clients are highly likely to recommend Praetorian. Based on all-time Net Promoter Score (NPS) of 86 9
We Are the Security Experts Solving Your Cybersecurity Problems IOT APPLICATION MOBILE CLOUD NETWORK