All too often product teams don’t execute recommendations from commissioned penetration tests. There just aren’t enough resources. Even when action is taken, progress is difficult to measure. For these reasons we recommend that firms focus less on testing and more on developer assistance.
How we can help
Trail of Bits maintains a staff of expert security engineers responsible for shipping code in complex systems on a daily basis. We have built secure software updaters, low-level software libraries, and high-assurance operating system components for our clients.
Our engineers will work alongside your team to make your product markedly more secure.
We measure progress with a simple 18-point evaluation framework: The Dan Test (inspired by similar guidelines and standards, such as: The Digital Standard, OSS-Fuzz bounty criteria, CII Best Practices, and The Joel Test). When your code passes The Dan Test, it will be in a disciplined product security position that covers:
- Compilation. Take advantage of a modern compiler and all its associated benefits.
- Source code management. Deploy security improvements with confidence.
- Static and dynamic testing. Discover new issues with the best available tools.
- Attack surface reduction. Avoid unnecessary bugs and focus on core competencies.
- Known risks. Properly address the issues you know about.
To start an engagement, we benchmark your code on The Dan Test and help you achieve greater coverage of each work item. We spend a fixed amount of time each month working directly on your codebase and make steady progress with limited or no direction from your team.
- A clear, actionable assessment of security maturity of your product.
- A set amount of expert security engineering time from our team each month.
- Simple, continuous security improvements to your product.
- Measurable outcomes that help you communicate to management.
- Tested and trusted software security techniques integrated into your product.
Contact us to make measurable improvements to your software security.