Most of our clients build software, and we’re here to help them do that safely. We help clients build out a program that’s both effective and unobtrusive. We help you incorporate security throughout your systems development lifecycle via a combination of tooling and processes.
We’ll review design documents and code as it gets developed. As your new feature takes shape, we’ll design and execute an appropriate security testing plan. Rather than perform monolithic tests and generating one-off “pentesting” reports that are out of date within days or weeks, we’ll generate documents demonstrating an ongoing security review and assessment program that goes far beyond a performative checkbox approach.
Since we work with our clients for an extended time, we’re around throughout the development lifecycle. Coupling that with all of the information we learn about your business allows us to review what you’re doing at all steps in a highly efficient manner, resulting in early identification of risks before a design is finalized, catching implementation flaws before they’re deployed, and reducing the amount of time it takes to get your new feature in production. Your typical annual pentest might do a decent job surfacing OWASP Top 10 style vulnerabilities (which we will also do) but rarely is as successful at identifying the sorts of business logic issues we’ll identify by being part of your SDLC.
A mature practice isn’t just about identifying cut-and-dried vulnerabilities. We’ll identify risks and design opportunities early, and keep track of more subtle risks to your application, such as brittle designs, risky dependencies, and other issues that can be hard to spot. We’ll also help train your staff to make issues less likely in the future.
We identify and provide feedback on issues affecting software supply chain components using context gained from tool output and assessment results. We can help identify where you’re lagging behind on updates and where that’s most likely to get you in trouble. We can help you mitigate risks by reducing duplicate functionality, identifying particularly risky libraries, and coming up with ways to mitigate them, such as by running them in a sandbox.
While static analysis can be useful for finding vulnerabilities, that’s just a surface-level capability. For clients with larger, more active codebases, we use static analysis tools like Semgrep to help us identify patterns in your codebase. A unauthenticated endpoint doesn’t have to be a problem (it’d be nice if the sign-in page didn’t require you to be signed in before you could sign in, for example), but it is the sort of thing we want to monitor. Any time someone develops a potentially scary new feature, we want to make sure we know about it before it hits production, even if they didn’t think to ask us about it.
Cryptography has the annoying property that getting it right looks identical to getting it disastrously wrong. Latacora has multiple formally trained cryptographers on staff who can help review or design anything from straight forward secrets management systems to complex protocols.
We believe everyone at an organization needs to think of themselves as a participant in your security program. To that end, Latacora has the ability to provide a wide variety of application security oriented training to your team, ranging from education on how/when to engage security for design + PR review, to education on specific security pitfalls and vulnerabilities so your dev team can understand the impact of these flaws and how attackers leverage them.
Not everyone needs to have a bug bounty program! In cases where they make sense, Latacora can help clients establish a bug bounty program with sane rules of engagement, a well defined scope and realizable goals. We’ll work in concert with you on triage, make recommendations on payouts where appropriate, and turn what can often feel like a burden in to a valued part of your security program.