Join our growing team

Our vision is to bring together the world's expertise to solve challenging security problems. 

Explore Career Opportunities
We're Hiring
Praetorian Logo

Product Security Solutions

We help product teams focus on innovation by helping solve their complex security challenges

Our professional security evaluations are performed in-house and trusted by today's leading product teams

Between project deadlines and user demand for new features, security generally is not the highest priority for product development teams. Too often, identifying and remediating vulnerabilities is seen as a task performed during the testing phase at the tail end of the software development lifecycle (SDLC). When it comes to secure coding, this reactive secure development approach is setting software teams up for failure.

To help product teams address emerging security challenges, Praetorian has created research-driven evaluation methodologies that incorporate guidance from the OWASP Application Security Verification Standard (ASVS), which normalizes the range in coverage and level of rigor applied to each application. With its 3 levels of testing rigor, 17 security control categories, and 211 defined test cases, this approach allows our team to meet your unique testing and budget goals by offering tiered pricing based on the comprehensiveness of the security review.

As part of a professional security evaluation, and depending on the level of rigor, Praetorian will employ a variety of techniques for uncovering unknown vulnerabilities:
Penetration testing
Run-time analysis
Binary analysis
Code analysis
Design analysis
Requirements analysis
  • Security Control Group for Level 1: Opportunistic
  • 100 of 211 Test Cases
  • Architecture, Design, Threat Modeling
  • 1 / 11
  • Authentication Controls
  • 17 / 26
  • Session Management Controls
  • 11 / 13
  • Access Control
  • 7 / 12
  • Malicious Input Handling
  • 10 / 21
  • Cryptography at Rest Controls
  • 2 / 10
  • Error Handling & Logging Controls
  • 3 / 13
  • Data Protection Controls
  • 4 / 11
  • Communications Security Controls
  • 7 / 13
  • HTTP Security Controls
  • 6 / 8
  • Malicious Controls
  • 0 / 2
  • Business Logic Controls
  • 0 / 2
  • Files and Resources Controls
  • 7 / 9
  • Mobile Controls
  • 7 / 11
  • Web Services Controls
  • 7 / 10
  • Configuration Controls
  • 1 / 10
  • Embedded Device Controls
    New
  • 10 / 29
ASVS Level 1 is meant for all software.
  • Security Control Group for Level 2: Standard
  • 173 of 211 Test Cases
  • Architecture, Design, Threat Modeling
  • 8 / 11
  • Authentication Controls
  • 24 / 26
  • Session Management Controls
  • 13 / 13
  • Access Control
  • 11 / 12
  • Malicious Input Handling
  • 20 / 21
  • Cryptography at Rest Controls
  • 7 / 10
  • Error Handling & Logging Controls
  • 9 / 13
  • Data Protection Controls
  • 8 / 11
  • Communications Security Controls
  • 9 / 13
  • HTTP Security Controls
  • 8 / 8
  • Malicious Controls
  • 0 / 2
  • Business Logic Controls
  • 2 / 2
  • Files and Resources Controls
  • 9 / 9
  • Mobile Controls
  • 10 / 11
  • Web Services Controls
  • 10 / 10
  • Configuration Controls
  • 5 / 10
  • Embedded Device Controls
    New
  • 20 / 29
ASVS Level 2 is for applications that contain sensitive data, which requires protection.
  • Security Control Group for Level 3: Advanced
  • 211 of 211 Test Cases
  • Architecture, Design, Threat Modeling
  • 11/ 11
  • Authentication Controls
  • 26 / 26
  • Session Management Controls
  • 13 / 13
  • Access Control
  • 12 / 12
  • Malicious Input Handling
  • 21 / 21
  • Cryptography at Rest Controls
  • 10 / 10
  • Error Handling & Logging Controls
  • 13 / 13
  • Data Protection Controls
  • 11 / 11
  • Communications Security Controls
  • 13 / 13
  • HTTP Security Controls
  • 8 / 8
  • Malicious Controls
  • 2 / 2
  • Business Logic Controls
  • 2 / 2
  • Files and Resources Controls
  • 9 / 9
  • Mobile Controls
  • 11 / 11
  • Web Services Controls
  • 10 / 10
  • Configuration Controls
  • 10 / 10
  • Embedded Device Controls
    New
  • 29 / 29
ASVS Level 3 is for the most critical applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.
Coverage Key
Inadequate
Fair
Good
Excellent

Praetorian follows the OWASP ASVS standards, which normalizes the range in coverage and level of rigor applied to each application.

Our expertise covers everything from chip-to-cloud
We support the most modern web technologies
"Praetorian's approach was very professional, to the point and comprised of in-depth analysis of the security vulnerabilities, which was greatly beneficial to us."
Fakhr Ul-Islam
Director Product Management IOT
"Praetorian was very quick to respond with quotes, very thorough in their testing procedures, and very accommodating to our schedule limits and tight deadlines. Will be back in touch soon to talk about additional work."
Mark House
Information Security
"I was very happy with the team, everyone was professional, the items found were useful, and I've received positive feedback from others here in engineering."
Mike Yoder
Software Engineer
"Praetorian always considers the broader set of enterprise services we have here at Qualcomm so reports and recommendations can be actionable."
Gabe Lawrence
Senior IT Security Engineer

Leverage the law of large numbers through private bug bounties to scale on-going security testing efforts

Software development has shifted. With mass adoption in cloud and container technologies, Internet-based companies are shipping code at unprecedented speed. The new pace in which code is being pushed to production is causing security teams to reexamine how they integrate security verification into the software development lifecycle. 

One strategy for keeping pace with today's accelerated development lifecycle is to tap into the scale provided by private bug bounty. This specific crowdsourcing model defines a payout scale for vulnerabilities identified, typically based on criticality, and invites a select pool of security researchers to hunt for bugs until the bounty purse is exhausted. You only pay for security bugs that are identified and professionally validated, which is a major benefit in addition to the model's scalability.
Get Started

Leverage technology through code annotation and support for continuous integration/continuous delivery

To meet the needs of customers adopting rapid iteration development practices, we have created a new client experience that we call Security-as-a-Service. Internally and affectionately referred to as Diana, named after the goddess of the hunt, our new platform is transforming the way in which product security evaluations are performed. As an alternative to providing clients a security evaluation that represents a single, snapshot in time, Diana’s subscription model offers holistic, continuous security analysis.

From vulnerability identification to vulnerability remediation, Diana delivers a comprehensive security view into an organization’s product portfolio. Through Diana’s unified vulnerability management platform, clients can continue to leverage the trusted, in-house expertise that Praetorian has become known for while scaling up on-going testing coverage via continuous integration, bug bounty, and deep learning technologies.

Allocate resources for remediation in the most cost-effective way 

Praetorian is known for delivering actionable, accurate assessments that produce tangible security improvements. Many clients continue to improve their security posture by leveraging our team's security expertise throughout their full security life cycle to ensure successful mitigation and remediation.

Praetorian is a collective of highly technical engineers and developers with decades of industry experience. We truly act as an extension of your team offering deep security expertise, unified through software, that helps you prioritize risk so you can successfully balance risk with time-to-market pressures.

Product security remediation services:
Mitigation verification
Vendor analysis
Code patching
Design/development

Integrate security across the entire SDLC to achieve true improvement

This can be accomplished using a software maturity model, such as OWASP’s Software Assurance Maturity Model (OpenSAMM), BSIMM, and Microsoft SDL. The maturity model describes a wide variety of activities in which an organization could engage to reduce security risks and increase assurance.

Leveraging a maturity model is the best approach when reviewing security over the entire software development lifecycle. A maturity model is appropriate for two reasons. First, the business objectives of a company and the maturity of its software security practice will vary widely from one organization to the next. Not all organizations need to achieve the same security goals, but all organizations can measure their standing against a uniform yardstick. Second, integration almost always means changing the way an organization works—something that doesn't happen overnight. A maturity model provides a way to assess the state of an organization, prioritize changes, and demonstrate progress.
Get Started

Software Development Lifecycle

Governance
  • Strategy and Metrics
  • Education and Guidance
  • Policy and Compliance
Construction
  • Threat Assessment
  • Security Requirements
  • Secure Architecture
Verification
  • Design Review
  • Implementation Review
  • Security Testing
Operations
  • Issue Management
  • Environment Hardening
  • Operational Enablement
OpenSamm Shown Above

Ready to get started?

Contact Us