ProvenRun offers security consulting services to help customers answering to the security challenges of their infrastructure of connected devices and services. Our consulting services rely on our solid expertise in the field of security and in-depth knowledge of the challenges of different business sectors such as automotive, aeronautics, railways, energy, mobile telecommunication operators and defense. Our main services include:
- Risk Analysis,
- Security Architecture,
- Certification support.
The Risk Analysis is a required step for addressing multiple attack vectors, detecting vulnerabilities and weak points at all the stages of the target systems’ life-cycle
What is a Risk analysis?
A proper Risk Analysis includes the identification of assets and a study of the risks inherent to the architecture and associated functionalities for the expected usage environment. Such a risk analysis should lead to:
- the definition of primary and secondary assets with associated security properties (integrity, confidentiality, availability, etc.)
- the identification of attackers’ profile, of threats, of assumptions on the usage environment, of organizational and technical security objectives for the intended usage
- the definition of a targeted resistance level that is commensurate with the risks at stake and to the potential business models for attackers
- The assessment of all applicable risks
What to expect from a Risk Analysis?
A Risk Analysis results in the definition of the security requirements for the different components of the system. With a proper Risk Analysis both the security architect and the development team have a clear framework with proper objectives and requirements to perform and guide their work as well as a way to assess the adequacy of their solution to the security context.
How we can help
We provide two types of services for Risk Analysis, which can be customized to fit our customer’s needs:
Component-wide Risk Analysis:
Targeting selected aspects of a system and selected core functions, processes or services, properties such as data reliability or privacy, or robustness against some types of attack vectors.
System-wide Risk Analysis:
An in-depth study of the solution at the hardware, firmware, and software component level. This type of analysis addresses all the sources of threats, vulnerabilities, risks and allows deriving a variety of work products such as a vulnerabilities catalog, a risk mitigation plan, a set of requirements for suppliers, a solution/components configuration policy, etc.
Setting the right foundation for the security-by-design
Designing a good Security Architecture is the art of taking the right hardware and software security components, based on the security requirements and combining them to define the Trusted Computing Base that will deliver the best trade-off between cost, performance, security and ease of integration.
The Security Architecture sets the foundation for the security-by-design. It must be done the right way and be able to cope with the evolution of the security requirements as security mitigations may have to be upgraded during the operational life of a product or a system.
How we can help
At ProvenRun, we have security architects with a long history of supporting customers with their hardware and software architectures. We can work on defining the security architecture from ground-up or work on hardening an existing architecture. Our experts have helped about half of the world’s top ten chip vendors design to improve some of their key security architectures.
Helping you all along the certification compliance journey
Products, services, systems and processes security evaluation is key to protect private, public citizen assets. Every single device may have a security flaw or may widen the attack surface of a larger system. Security certification lowers the risks at unitary and integration level.
Certification requirement is also highly dependent of the business sector, applicable standards and regulatory obligations. In effect for each certification project, the following must be well understood:
- the certification scheme that specifies Security Functional and Assurance Requirements (SFR and SAR) that a product or a system must meet to become certified
- the Assurance Level that the product must achieve for the given certification scheme
- the hardware and software included in the certification perimeter
However, stakeholder’s maturity regarding security and certification scheme are highly variable, and skilled personnel with experience in the certification landscape is a rare resource. Without the proper expertise and understanding of the evaluation process, certification can lead to excessive costs and project delays.
How we can help
In order to maximize customer’s chances to get a successful and cost-effective evaluation, with no project delays, ProvenRun provide the following support:
Our Secure Components have been developed from the design stage with the certification requirements in mind. We have created them because they are addressing the most complex part of the Trusted Computing Base, the one for which the development effort and the certification costs would not be affordable at a project or product level. With our Secure Components, those costs are mutualized on a large number of projects at there are made available for your evaluation project.
We have experts in security and certifications. Our experts are involved in major industry initiatives for defining Protection Profiles or supporting certification schemes. As a show case of our unique expertise, our secure OS ProvenCore has received a Common Criteria EAL7 which is the highest level defined by the Common Criteria certification scheme.