| ▲ | lrvick 14 hours ago | |
We have never issued a clean report in our ~5 years of operation. Some firms have a reputation for issuing clean reports that look good to bosses and customers, but we prefer working with clients that want an honest assessment of attack surface and how motivated blackhats will end their business. We also stick around on retainer for firms that want security engineering consulting after audits to close the gaps we find and re-architect as needed. Unused retainer hours go into producing a lot of open source software to accelerate fixing the problems we see most often. This really incentivizes us to produce comprehensive reports that take into account how the software is developed and used in the real world. Under our published threat model few companies pass level one, and we have helped a couple get close to level 2 with post audit consulting. Our industry has a very long way to go as current industry standard practices are wildly dangerous and make life easy for blackhats. | ||