I have now started working for a larger, established pen-testing firm. It’s like Cybergibbons Limited but with a lower average beard. If you still want pen-testing services, get in touch via the contact form.
There are plenty of big, well-known names in the information security field. Why should you work with Cybergibbons Limited instead of them?
Domain expertise in IoT/embedded systems
I have many years of experience tearing down embedded systems and analysing their security. This has allowed me to build up skills, experience and tools that few others have. I know the differences between general purpose computers on enterprise networks and 8-bit microcontrollers distributed across a wide customer base.
Not just a pen-test
A pen-test often proves that there is at least one way into you system. That’s great – but you aren’t an attacker – you are a defender. You need to close every hole, not just find one.
Security is about layers. I will analyse each of the layers in your system and make them as strong as needed. I will look at the wider picture, following as many paths as I can to get into your systems. Some of these paths may lead to a dead-end. A dead-end to me may not be to a more skilled attacker, a better funded attacker, or an attacker with knowledge that is not yet in the public domain. By closing as many paths as possible, you get a more secure system now and into the future.
I will also perform a variation on root-cause analysis that I call “5-whys”. For each significant issue I find, I ask “Why did this happen?”. This is done 5 times, leading us closer to a root-cause each time. By moving closer to the root-cause, you get a shorter list of remedies in the near term. It avoids having to take extremely high-level advice that can be difficult or expensive to action.
Not just a vulnerability scan
Whilst a vulnerability scan is always going to be part of any test, it should never be the final result. Many smaller companies have been stung by expensive tests where all they are provided with is a lengthy vulnerability report, with little context and no remediation advice. It might tick boxes and allow you to brand yourself “compliant”, but it rarely enables you to improve the security of your system.
In an ideal world, every project would receive a large security budget. This is rarely the case.
Security does not make your new IoT startup money. However, a lack of security can cost it badly. You need to find a balance.
I understand the limitations of hardware, the pressure to get to market quickly, and the skills your staff have. I can provide you with realistic remedies to issues found, as well as put you in touch with skilled hardware and software developers when you need help.