Product Security Solutions

We help product teams focus on innovation by helping solve their complex security challenges

Trusted by

Built on expertise, engineered to scale, and unified through software

Continue to leverage the trusted, in-house expertise that Praetorian has become known for while scaling up

Professional evaluations through trusted experts

Leverage the experience and trust of expert professionals with prior backgrounds in hardware and software development.

Continuous security analysis for DevOps

Get continuous security testing at the speed of DevOps with direct support for your CI/CD toolchain and pipeline.

Machine learning aided vulnerability identification

Apply machine learning techniques to identify new vulnerabilities introduced by incremental code movement

Our professional security evaluations are performed in-house and trusted by today's leading product teams

Between project deadlines and user demand for new features, security generally is not the highest priority for product development teams. Too often, identifying and remediating vulnerabilities is seen as a task performed during the testing phase at the tail end of the software development lifecycle (SDLC). When it comes to secure coding, this reactive secure development approach is setting software teams up for failure.

To help product teams address emerging security challenges, Praetorian has created research-driven evaluation methodologies that incorporate guidance from the OWASP Application Security Verification Standard (ASVS), which normalizes the range in coverage and level of rigor applied to each application. With its 3 levels of testing rigor, 17 security control categories, and 211 defined test cases, this approach allows our team to meet your unique testing and budget goals by offering tiered pricing based on the comprehensiveness of the security review.

As part of a professional security evaluation, and depending on the level of rigor, Praetorian will employ a variety of techniques for uncovering unknown vulnerabilities:

Penetration testing

Run-time analysis

Binary analysis

Code analysis

Design analysis

Requirements analysis

Architecture, Design, Threat Modeling
1 / 11

Authentication Controls
17 / 26

Session Management Controls
11 / 13

Access Control
7 / 12

Malicious Input Handling
10 / 21

Cryptography at Rest Controls
2 / 10

Error Handling & Logging Controls
3 / 13

Data Protection Controls
4 / 11

Communications Security Controls
7 / 13

HTTP Security Controls
6 / 8

Malicious Controls
0 / 2

Business Logic Controls
0 / 2

Files and Resources Controls
7 / 9

Mobile Controls
7 / 11

Web Services Controls
7 / 10

Configuration Controls
1 / 10

Embedded Device Controls
New
10 / 29

ASVS Level 1 is meant for all software.

Architecture, Design, Threat Modeling
8 / 11

Authentication Controls
24 / 26

Session Management Controls
13 / 13

Access Control
11 / 12

Malicious Input Handling
20 / 21

Cryptography at Rest Controls
7 / 10

Error Handling & Logging Controls
9 / 13

Data Protection Controls
8 / 11

Communications Security Controls
9 / 13

HTTP Security Controls
8 / 8

Malicious Controls
0 / 2

Business Logic Controls
2 / 2

Files and Resources Controls
9 / 9

Mobile Controls
10 / 11

Web Services Controls
10 / 10

Configuration Controls
5 / 10

Embedded Device Controls
New
20 / 29

ASVS Level 2 is for applications that contain sensitive data, which requires protection.

Architecture, Design, Threat Modeling
11/ 11

Authentication Controls
26 / 26

Session Management Controls
13 / 13

Access Control
12 / 12

Malicious Input Handling
21 / 21

Cryptography at Rest Controls
10 / 10

Error Handling & Logging Controls
13 / 13

Data Protection Controls
11 / 11

Communications Security Controls
13 / 13

HTTP Security Controls
8 / 8

Malicious Controls
2 / 2

Business Logic Controls
2 / 2

Files and Resources Controls
9 / 9

Mobile Controls
11 / 11

Web Services Controls
10 / 10

Configuration Controls
10 / 10

Embedded Device Controls
New
29 / 29

ASVS Level 3 is for the most critical applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.

Coverage Key

Inadequate

Fair

Good

Excellent

Praetorian follows the OWASP ASVS standards, which normalizes the range in coverage and level of rigor applied to each application.

Our expertise covers everything from chip-to-cloud

We support the most modern web technologies

"Praetorian's approach was very professional, to the point and comprised of in-depth analysis of the security vulnerabilities, which was greatly beneficial to us."

Fakhr Ul-Islam

Director Product Management IOT

"Praetorian was very quick to respond with quotes, very thorough in their testing procedures, and very accommodating to our schedule limits and tight deadlines. Will be back in touch soon to talk about additional work."

Mark House

Information Security

"I was very happy with the team, everyone was professional, the items found were useful, and I've received positive feedback from others here in engineering."

Mike Yoder

Software Engineer

"Praetorian always considers the broader set of enterprise services we have here at Qualcomm so reports and recommendations can be actionable."

Gabe Lawrence

Senior IT Security Engineer

Delivering on-going, comprehensive, and efficient security testing coverage

Software development has shifted. With mass adoption in cloud and container technologies, Internet-based companies are shipping code at unprecedented speed. The new pace in which code is being pushed to production is causing security teams to reexamine how they integrate security verification into the software development lifecycle.

As an alternative to providing clients a security evaluation that represents a single, snapshot in time, Diana’s subscription model offers holistic, continuous security analysis. Using multiple analysis methods and machine learning techniques to identify new vulnerabilities introduced by incremental code movement, Diana is designed to provide customers with on-going, comprehensive, and efficient security testing coverage.

Leverage technology through code annotation and support for continuous integration/continuous delivery

To meet the needs of customers adopting rapid iteration development practices, we have created a new client experience that we call Security-as-a-Service. Internally and affectionately referred to as Diana, named after the goddess of the hunt, our new platform is transforming the way in which product security evaluations are performed. As an alternative to providing clients a security evaluation that represents a single, snapshot in time, Diana’s subscription model offers holistic, continuous security analysis.

From vulnerability identification to vulnerability remediation, Diana delivers a comprehensive security view into an organization’s product portfolio. Through Diana’s unified vulnerability management platform, clients can continue to leverage the trusted, in-house expertise that Praetorian has become known for while scaling up on-going testing coverage via continuous integration and leveraging machine learning vulnerability identification techniques.

Learn More

Allocate resources for remediation in the most cost-effective way

Praetorian is known for delivering actionable, accurate assessments that produce tangible security improvements. Many clients continue to improve their security posture by leveraging our team's security expertise throughout their full security life cycle to ensure successful mitigation and remediation.

Praetorian is a collective of highly technical engineers and developers with decades of industry experience. We truly act as an extension of your team offering deep security expertise, unified through software, that helps you prioritize risk so you can successfully balance risk with time-to-market pressures.

Product security remediation services:

Mitigation verification

Vendor analysis

Code patching

Design/development

Integrate security across the entire SDLC to achieve true improvement

This can be accomplished using a software maturity model, such as OWASP’s Software Assurance Maturity Model (OpenSAMM), BSIMM, and Microsoft SDL. The maturity model describes a wide variety of activities in which an organization could engage to reduce security risks and increase assurance.

Leveraging a maturity model is the best approach when reviewing security over the entire software development lifecycle. A maturity model is appropriate for two reasons. First, the business objectives of a company and the maturity of its software security practice will vary widely from one organization to the next. Not all organizations need to achieve the same security goals, but all organizations can measure their standing against a uniform yardstick. Second, integration almost always means changing the way an organization works—something that doesn't happen overnight. A maturity model provides a way to assess the state of an organization, prioritize changes, and demonstrate progress.

Get Started

Software Development Lifecycle

Governance

Strategy and Metrics
Education and Guidance
Policy and Compliance

Construction

Threat Assessment
Security Requirements
Secure Architecture

Verification

Design Review
Implementation Review
Security Testing

Operations

Issue Management
Environment Hardening
Operational Enablement

OpenSamm Shown Above

Ready to get started?

Contact Us

Join our growing team

Contact Praetorian to get started.