Icons Seeks Partners To Extend App Security

The security solution provider, based here, specializes in assessing the security of e-commerce applications for clients in financial services and other vertical markets. Icons now wants to expand its market reach by teaming with other consulting and integration firms to resell its application security services.

"If I'm a systems integrator hired by a large firm to produce an e-commerce site, I'll be engaged for up to a year. Somewhere along the line, that client will ask the integrator to comment on security," said Paul Rohmeyer, COO of Icons.

Icons can provide security expertise by inspecting an application's design and looking at how it applies encryption, access controls and other security measures, he said.

A third-party security review provides credibility for the integrator's work and avoids conflicts of interest, Rohmeyer said. "There can be no appearance that the designers have hidden anything," he said.

To build a channel for its professional services, Icons created a tiered partner program based on level of commitment and hired a marketing director. The firm hopes to sign about 40 partners this year, Rohmeyer said.

Icons is recruiting a variety of partners, including some companies that might appear to be competitors, said Icons CEO Sanjay Kalra. Security is a broad area, however, and Icons' application security focus can complement another firm's area of expertise, he said.

Sun Tzu Security, a Milwaukee-based security solution provider, sees precisely that opportunity in teaming with Icons, said David Wells, Sun Tzu's director of strategic partnerships.

"We have a service that they don't offer and vice versa," he said. "They have a service that we don't have and we'd like to offer."

While Sun Tzu could offer Icons' application security services, it would also look to Icons as a channel for its 24x7 managed network security services, Proactive Information Security Monitoring (PRISM), Wells said.

Sun Tzu sees a potentially strong market for application security among its SMB customers, Wells said. Attackers can break into a network through a hole in an application, and Icons has built a reputation in securing applications, he said.

Rohmeyer said customer interest in application security assessments has grown over the past six months as companies roll out B2B and B2C sites.

Plus, system breaches have become more sophisticated over the past 18 months, raising security awareness in the enterprise and prompting companies to look beyond network-based assessments to application-based ones, Kalra said.

Another security consulting firm providing application security is @stake, Cambridge, Mass. Earlier this year, the company disclosed the results of research it's been doing. According to @stake, the typical e-business application is at risk because of security flaws introduced early in the design cycle.

Icons follows an assessment approach based on the National Security Agency's Information Assurance Methodology (IAM), a systematic way of examining cyber vulnerabilities.

Icons examines critical parts of an application and technical architecture, including business processes that the application system supports, code review, programmatic controls and privacy requirements.

The firm reviews a broad range of applications, from entirely homegrown systems to commercial applications, Rohmeyer said.

The partner model works well in security, where organizations turn only to parties that they trust, he said. "If I'm brought in as partner by a company that's already engaged with that client, it goes a long way toward establishing trust," Rohmeyer said.