Security rarely tops the priority list for startups - but that doesn’t make it optional. Running a startup is no small feat. Facing enormous pressure to address a never-ending list of priorities (finding market fit, fundraising, launching new features, scaling infrastructure, etc.) security often becomes a “later” issue……until it can’t be. Even when companies know they need help, the breadth of the problem can be intimidating. Application security, cloud infrastructure, third-part...| Latacora
Every other week, regulators around the world bombard their constituents with new data protection laws and acronyms. As the person who was just voluntold you’re now responsible for privacy at your startup, in addition to all your other duties and without any additional resources, how can you possibly be expected to keep up—let alone contextualize that information to maintain compliance? Privacy, at its core, is an ethical issue, which means the solution to your privacy challenges is decep...| Latacora
Mapping your security posture Latacora engagements begin with getting to know your overall security posture. Latacora’s SAR process is a broad-spectrum, holistic look at your organization’s information security risks. This allows us to collaboratively drive priorities based on the risks presented by your current security stance, rather than being solely based on hunches or findings devoid of context. The output of this review is a maturity assessment coupled with a roadmap: a prioritized ...| Latacora
Risk & compliance If SOC 2 is on your roadmap, we’re here to help! Substantially all of our clients either have a SOC 2 or are in the process of getting one, and we’re a key partner in making that happen. We’ll help figure out where you’re at process-wise, gauge your current readiness, and deliver actionable steps to get you ready for your audit. If you have timelines for SOC 2 in mind, we’ll also help figure out how realistic they are.| Latacora
Summary Make security a part of closing more deals and close deals faster We handle vendor security questionnaire answering, including knowledge base maintenance and prep work We’ll jump on sales calls to help close critical deals Working with GTM strategy to make sure your security is being fully leveraged for your prospective customers Vendor security questionnaire support Many of our customers are inundated with vendor security questionnaires. This is a great problem to have, but it’s ...| Latacora
Application security, cryptography & SDLC Most of our clients build software, and we’re here to help them do that safely. We help clients build out a program that’s both effective and unobtrusive. We help you incorporate security throughout your systems development lifecycle via a combination of tooling and processes. We’ll review design documents and code as it gets developed. As your new feature takes shape, we’ll design and execute an appropriate security testing plan. Rather than ...| Latacora
Executive summary Latacora provides a cost-effective, transparent, low-commitment detection & response program. Scalable and predictable pricing Complete: includes visibility tooling (such as SIEM, EDR, e-mail security) and combines detection engineering, incident response, endpoint detection & response, and related tools and services to make them effective Month-to-month, no long-term commitments, like the rest of Latacora No surprise fees (e.g., investigation tool SKUs, Latacora infrastruct...| Latacora
Infrastructure security monitoring We continuously monitor your infrastructure by taking regular snapshots of resource configurations. Through rule-based analysis of those configurations, we can identify, quantify and help you manage all sorts of risk. Because we store that historical data, not just findings, we can leverage that data for more than just identifying vulnerabilities or quantifying risk at a given point in time. For example, we’ve worked with clients to help explain how their ...| Latacora
Lightweight IT support where it matters most Many of our customers find themselves in the situation where an engineering or tech leader has to wear an IT hat for a fraction of their week. This results in the classic case where your IT challenges fall off the radar or relegate to your third or fourth priority. The standard solution is to hire an MSP - but many fall short of taking the management load off your plate - consuming considerable hours but requiring you or your team to continue to do...| Latacora
Working at Latacora Roles we’re currently hiring for Mid-Level GRC Analyst Security Architect Customer Trust Analyst Senior Customer Trust Analyst To express interest in future roles, please fill out this form and e-mail us at careers at latacora dot com. About Latacora Latacora runs the security team for a diverse list of clients at different levels of maturity. We design, review and test the products that our clients ship. That means we get broad technology exposure. We’ve had clients w...| Latacora
| Latacora
Security is a complex, multifaceted problem. Most businesses trying to start a security practice don’t need a “security person” as much as they need application security work on Monday, guidance from a Cloud security person on Tuesday, a third party risk management security review on Wednesday, handle SOC 2 compliance on Thursday and be the resident IT expert on Friday. Oh, and they’re responsible for security monitoring throughout the week while being on-call for incidents. And, of c...| Latacora
| Latacora
Retained security teams for startups.| Latacora
Latacora Blog| Latacora
This post is the second in a series about logging and audit trails from a security perspective. If you’re looking to level up your security practices, logging is a good place to focus your attention. Just as logging is a core pillar of observability, comprehensive audit trails are a core pillar of a strong security program. Logs and audit trails are separate but overlapping concepts, and most companies can improve their security posture by investing in this area.| Blog on Latacora
Latacora collects and analyzes data about services our clients use. You may have read about our approach to building security tooling, but the tl;dr is we make requests to all the (configuration metadata) read-only APIs available to us and store the results in S3. We leverage the data to understand our clients’ infrastructure and identify security issues and misconfigurations. We retain the files (“snapshots”) to support future IR/forensics efforts. This approach has served us well, but...| Latacora - Security Practices for Growing Businesses on Latacora
Exciting news! Latacora is teaming up with Vanta to supercharge your compliance game. We now combine Latacora’s security expertise with Vanta’s compliance platform to help you reach your compliance goals faster than ever. As a Vanta managed service provider (MSP), Latacora can help you tackle your compliance goals quickly and efficiently, freeing you to focus on growing your business and building trust with your customers. Here’s the scoop on why using Vanta through Latacora is a game-c...| Latacora - Security Practices for Growing Businesses on Latacora
One of our favorite blog posts is our “crypto right answers” post. It’s intended to be an easy-to-use guide to help engineers pick the best cryptography choices without needing to go too far down a rabbit hole. With post-quantum cryptography (PQC) recently transitioning from an academic research topic to a more practical cryptography concern we figured it’s time for an update of our cryptography recommendations. One thing that makes recommending PQC challenging is that historically, w...| Latacora
We traveled to Toronto this year to attend RWC 2024. The conference was held in TIFF Lightbox located in the city’s downtown; the venue is the headquarters for the Toronto Film Festival and contains five cinema rooms. RWC is a single-tracked conference and there’s no hard requirement that talks are backed by papers. Each RWC includes the Levchin prize ceremony for major achievements in applied cryptography, several invited talks and the lightning talks session.| Latacora
When people talk about PBKDFs (Password Based Key Derivation Functions), this is usually either in the context of secure password storage, or in the context of how to derive cryptographic keys from potentially low-entropy passwords. The Password Hashing Competition (PHC, 2013-2015) was an open competition to derive new password hashing algorithms, resulting in Argon2 hash as its winner. Apart from achieving general hash security, many of the candidates focused on achieving resistance to paral...| Latacora - reliable security on Latacora
This post is the first in a series about logging and audit trails from a security perspective. At Latacora, we bootstrap security practices. We partner with companies that frequently have minimally developed security programs, work with them to figure out the right security practices for their current size, and then help them evolve and scale those practices as their business matures. One thing we always ask new clients about is logging.| Latacora - reliable security on Latacora
Introduction Most “security tools” today are typically composed by code that consumes an API and applies predefined logic to identify issues. This is generally accomplished by: Fetching a subset of the endpoints exposed by the service / API being audited (i.e. the information required for the evaluation logic, such as a list of the EC2 instances deployed in an AWS account, as well as their configuration) Storing the data retrieved Evaluating this data to produce “findings” (this is th...| Latacora - reliable security on Latacora
The last Strange Loop conference was held September 21-22, 2023 at St. Louis Union Station. The conference is targeted towards developers; the speakers are often sharing their knowledge on new and inventive ways to use technology. At our sponsor booth at Union Station, attendees asked two (okay, three) questions most often: What is Latacora? Your name is on the lanyards, and I’m curious to know what you do. Why sponsor Strange Loop ?| Latacora - reliable security on Latacora
Compute resources in AWS (e.g. EC2 instances, ECS tasks/services, etc.) get access to AWS credentials, such as temporary instance role credentials, via the Instance Metadata Service (IMDS) . The compute resources use these credentials to access other AWS services such as SQS, DynamoDB and Secrets Manager. Introduction: Problems with IMDSv1 There was originally only one version of IMDS, now called “v1,” which unfortunately many people still use. The technical risks and high profile inciden...| Latacora - reliable security on Latacora
So, you plan to sell your startup’s product to big companies one day. Congratu-dolences! Really, that’s probably the only reason you should care about this article. If that’s not you, go forth and live your life! We’ll ask no more of your time. For the rest of you: Industry people talk about SOC2 a lot, and it’s taken on a quasi-mystical status, not least because it’s the product of the quasi-mystical accounting industry.| Latacora - reliable security on Latacora
Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email. Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools. Most email encryption on the Internet is performative, done as a status signal or show of solida...| Latacora - reliable security on Latacora
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.| Latacora - reliable security on Latacora
(This is an introductory level analysis of a scheme involving RSA. If you’re already comfortable with Bleichenbacher oracles you should skip it.) Someone pointed me at the following suggestion on the Internet for encrypting secrets to people based on their GitHub SSH keys. I like the idea of making it easier for people to leverage key material and tools they already have. The encryption instructions are: echo "my secret" > message.| Latacora - reliable security on Latacora
The ROCA RSA key generation flaw or ROBOT, the “Return Of Bleichenbacher” attack: which is most deserving of the “Best Cryptographic Attack” Pwnie award at the 2018 Black Hat USA conference? Only one can survive. Let us consider. Assume for the moment that it’s down to those two: ROBOT and ROCA. But first take a moment to consider the best cases for the “runners up”. They are all excellent; it was a very good year for crypto research.| Latacora - reliable security on Latacora
The eslint-scope npm package got compromised recently, stealing npm credentials from your home directory. We started running tabletop exercises: what else would you smash-and-grab, and how can we mitigate that risk? Most people have an RSA SSH key laying around. That SSH key has all sorts of privileges: typically logging into prod and GitHub access. Unlike an npm credential, an SSH key is encrypted, so perhaps it’s safe even if it leaks?| Latacora - reliable security on Latacora
TL;DR: if I ever told you to use Noise, I probably meant Noise_IK and should have been more specific. The Noise protocol is one of the best things to happen to encrypted protocol design. WireGuard inherits its elegance from Noise. Noise is a cryptography engineer’s darling spec. It’s important not to get blindsided while fawning over it and to pay attention to where implementers run into trouble. Someone raised a concern I had run into before: Noise has a matrix.| Latacora - reliable security on Latacora
Default shells usually end in $. Unless you’re root and it’s #. That tradition has been around forever: people recognized the need to highlight you’re not just some random shmoe. These days we have lots of snazzy shell magic. You might still su, but you’re more likely to sudo. We still temporarily assume extra privileges. If you have access to more than one set of systems, like production and staging, you probably have ways of putting on a particular hat.| Latacora - reliable security on Latacora
Modern applications tend to be composed from relationships between smaller applications. Secure modern applications thus need a way to express and enforce security policies that span multiple services. This is the “server-to-server” (S2S) authentication and authorization problem (for simplicity, I’ll mash both concepts into the term “auth” for most of this post). Designers today have a lot of options for S2S auth, but there isn’t much clarity about what the options are or why you...| Latacora - reliable security on Latacora
If you’re like me, you think of Google Groups as the Usenet client turned mailing list manager. If you’re a GCP user or maybe one of a handful of SAML users you probably know Google Groups as an access control mechanism. The bad news is we’re both right. This can blow up if permissions on those groups aren’t set right. Your groups were probably originally created by a sleep-deprived founder way before anyone was worried about access control.| Latacora - reliable security on Latacora
Amidst the hubbub of the Efail PGP/SMIME debacle yesterday, the WireGuard project made a pretty momentous announcement: a MacOS command line version of the WireGuard VPN is now available for testing , and should stabilize in the coming few months. I’m prepared to be wrong, but I think that for a lot of young tech companies, this might be the biggest thing to happen to remote access in decades. WireGuard is a modern, streamlined VPN protocol that Jason Donenfeld developed based on Trevor Per...| Latacora - reliable security on Latacora
It’s weird to say this but a significant part of the value we provide clients is filling out Dumb Security Questionnaires (hereafter DSQs, since the only thing more irritating than a questionnaire is spelling “questionnaire”). Daniel Meiessler compains about DSQs, arguing that self-assessment is an intrinsically flawed concept. Meh. I have bigger problems with them. First, most DSQs are terrible. We get on calls with prospective clients, tell them “these DSQs were all first written in...| Latacora - reliable security on Latacora
Cryptographic Right Answers| Latacora
The PGP Problem| Latacora