Reliable Energy Analytics

Data and Security Analytics for the Electric industry

Software Assurance Guardian Point man™ Software

image36

Announcing beta release of the SAG Point Man™ Software

The patent pending Software Assurance Guardian™ product line has been updated with the first of its kind  SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of  a  software supply chain, preventing the installation of bad software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a risk analysis process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply  chain. These seven steps implement best practices from each of their respective areas:

  • Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
  • Evaluate the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
  • Introspection of a software object's installation package for indications of potential risk in an attempt to categorize the package as safe or unsafe, based on known patterns.
  •  Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as cve.Mitre.org
  • Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
  • Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed by the originator/Licensor of the software
  • Perform a comprehensive malware scan of the software installation package using the suite of VirusTotal  malware inspection packages

The process concludes with a final SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.


Never trust software, always verify and report!™


Contact us today to arrange your demonstration of SAG Point Man™.