"Can we hire you to penetrate our competitor's
system and provide his confidential business information?"
NO. This kind of activity is illegal in most countries and in
contradiction with our business ethics. Additionally, we are
under legal obligation to report all requests of this kind to
proper authorities (with whom we maintain constant professional
as well as personal contact). You can only hire us to try to
penetrate your own system and even then you have to officially
authorize us to do so in a contract.
"Can we hire you to find security holes in our competitor's
product?"
NO. This kind of activity, while generally legal, is in contradiction
with our business ethics. As a general rule, it must be in the
customer's best interest for identified security problems to
be resolved effectively, professionally and with consideration
to the security of its users and fairness to the vendor. However,
you can hire us to analyze a product that you are using, providing the rule stated
before. For example, our customers hire us to analyze e-commerce
and e-banking systems developed for them by various vendors as
well as those they have developed in-house.
"We are interested in your services but you are from the
other side of the globe. How will our relationship work?"
Our business policy makes a long-distance business relationship
possible. We're not trying to make our customers'
security dependent on us. We strongly believe that information
security as a process can't (and shouldn't) be outsourced. However,
security analyses, consulting and time-limited projects can (and
often should) be. These are the kinds of services
we
provide. So basically, we're not here to run your information
security process - we're here to help you run it yourself.
"Who are your customers?"
We are under a strict nondisclosure agreement (NDA) with all
our customers.
This NDA stipulates confidentiality of all information regarding
our customers, including their identities. Information security
is an extremely sensitive business and once your company hires
services of this kind, you will (be smart to) demand complete
nondisclosure from your contractor too. We bring a signed NDA
on our first meeting with a customer.
"How do we know you have the knowledge and skills for the
job?"
While for reasons of confidentiality we
can't provide a list of our customers, you can take a look at some
references from our non-contract
work. If we can find security problems in products developed by
vendors with multi-million dollar security and testing budgets, we
are likely to also find them in others. And we continually
do.
"Can you make our system 100% secure?"
Unfortunately, nobody can. Today's systems are too complex and
there is a literally infinite number of ways to interact with
them (logically or physically). Even if your system is very simple
and it were possible to formally prove its theoretical security,
there exists no method for proving the security of that system's
implementation. For instance, the flaws in SSL modules of Microsoft's
and Netscape's browsers we have discovered
are a nice example of a solid (secure) theory with insecure implementation.
And these flaws could be just the tip of an iceberg. What we
can do is make your system more secure and, most importantly,
balance its security so that its weakest link is as strong
as possible. |
