Software Assurance Guardian Point Man™ Software
Announcing the production release of SAG Point Man™ Software
The patent pending Software Assurance Guardian™ product line has been updated with the first of its kind SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:
- Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
- Evaluate the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
- Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk in order to determine the trustworthiness of a software object
- Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as cve.Mitre.org
- Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
- Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed by the originator/Licensor of the software
- Perform a comprehensive malware scan of the software installation package using the suite of VirusTotal malware inspection packages
The process concludes with a final SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.
Never trust software, always verify and report!™
NOTE: An Energy Central Powersession is scheduled for 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand
Contact us today to arrange your demonstration of SAG Point Man™.