Navigating Ambiguity in Security
After many years of being the analyst, the engineer, the program manager, the compliance specialist, and the director, we’ve become tired and frustrated with the current security model. We quickly realized there were trends impacting the security space for startups and web3 companies:
- The security interviewing process is broken (companies are either looking for devs or analysts with no grey area in between) and companies struggle to vet for the right talent;
- In traditional SaaS Startups (including Web3), everyone focuses on the flashy items (i.e. custody, zk-snarks, etc.) and not the basics (i.e. open AWS S3 buckets);
- VC and PE firms push businesses to accept risk just to deliver a product fast;
- Everyone overlooks the data;
- Increased spend doesn’t always tackle the largest risk;
- Security is seemingly always bolted on and not baked in.
Having worked and consulted at various startups, small-to-medium sized business and enterprise organizations, it is typically too late before people start to care about security. Even the largest and more advanced companies demonstrate what happens when you try to bolt on a security program rather than having it built in with engineering teams (lateral movement shouldn’t occur because of hardcoded secrets in a script). Instead of perpetuating what has become normal for our industry, we’re taking a different approach. Enter Magellan Security.
At Magellan Security, we are focusing on a few areas that allow your team to scale while we focus on security. We engage with companies to help scale and educate their engineering org and security team, eventually making them self sufficient so that they don’t have to rely on third-party or external consultants. Some areas we’re passionate about:
- Provide you with pull requests to your repos, implementing actual changes rather than nebulous audit reports;
- Secure by default infrastructure modules (i.e. terraform);
- Network Architecture and Infrastructure assessments;
- Access Control reviews and audits;
- Incident Response and Breach Response;
- Red Teaming and Purple Teaming engagements;
- Security Observability and Threat Hunting assessments;
- Virtual CISO advisory;
- Achieving alignment with compliance frameworks (i.e. ISO, NIST, GDPR).