website/about.md

3.7 KiB

title layout permalink
/about home /about.html

Approach

Like most security firms, we often start relationships with full stack audits. We also have enough experience in this industry to admit another firm will find bugs we missed, and vice versa. Our true goal in audits is to understand your threat model and find a path to fundamentally remove entire classes of relevant attack surface.

We tend to start with a consultation where try to help you understand your true attack surface by answering tough questions:

  • Can your Google Authenticator codes be phished?
  • Can your SMS 2FA solution be SIM Swapped?
  • Can someone tamper with your Git repos or CI/CD systems?
  • Would it be profitable for someone to buy a $50,000 0day to compromise employee devices?
  • What happens when the FedEx guy leaves a tampered USB C cable on a conference table?
  • Who reviews the code of your third party dependencies?
  • What happens when your IT administrator is compromised? Or a production engineer?
  • Can a change in local political landscape fundamentally halt your business?
  • Can someone buy a server next to yours and steal your secrets via a side channel attack?
  • How do know the offline laptop with the keys to the kingdom has not been tampered with?
  • Do you have a plan for when your production systems are compromised?

Values

Distrust

  • We will never ask you to give us access to production systems or have any power over your org.
  • Anyone with access to significant value is at personal risk. We teach distrust to protect people.
  • We will always provide a way for you to build and verify any binaries we provide yourself.
  • We are happy to provide you any background research we legally can so you can make your own conclusions.

Transparency

  • We regularly open source our research and common advice to get input and corrections from others in our industry.
  • Prices are always public. We will sometimes adjust based on demand, but everyone is offered the same rates.
    • With the exception of fully Open Source projects, which we offer a universal 15% discount on.

Security

  • Our internal threat model assumes well funded entities are interested in our clients and our work.
  • All client work is performed in dedicated local virtual machines under an offline host OS.
  • All authentication, and password management is done via dedicated pin+touch controlled personal HSMs.
  • We exclusively use End-To-End cross-verified encrypted chat internally.

Privacy

  • Your data and IP are always stored with AES256 encryption unlockable only with our personal HSMs.
  • Your data and IP are never exposed in plain text except on your systems or systems we physically control.
  • Everyone on our team has hardware-backed PGP keys to encrypt documents and emails if you prefer.

Freedom

  • We feel every customer has a path to not need us anymore, and we will encourage it.
  • We exclusively use Open Source internally and help make improvements when needed.
  • All general purpose security tools and research we create is Open Source by default.
  • We ensure you have a free path to replicate any of our findings yourself.
  • We will always favor solutions that minimize lock-in with third parties.

Services

  • Reproducible builds
    • Build all software multiple times in systems controlled by different teams.
    • Ensure hashes match, proving code and binaries were not tampered with.
    • We optionally can host and maintain secondary build infrastructure.
  • Cryptographic key escrow.
  • Quorum managed immutable infrastructure.
  • Software Supply Chain Integrity.
  • Production Engineering Security.
  • Security Hiring.
  • Retained security support.
  • Hardware Security Modules.
  • Physical Security.
  • Business Continuity Planning.
    • Planning for Black Swan events.