X/Twitter
GitHub
Bluesky
Security Consulting & Auditing
taylor@defuse.ca
I specialize in auditing cryptographic protocols and implementations. I'm especially interested in auditing privacy-enhancing technologies and products that bring advanced cryptography to real users. But I'm a generalist; I have experience auditing all sorts of designs and codebases for all sorts of vulnerabilities.
I've found some cool bugs through my work, including one that would have made it possible to create infinite money, a way to steal money out of a hardware wallet by confusing its state machine, and many ways of stealing money or otherwise getting free stuff out of a payment processor. I've also applied the Flush+Reload side-channel to spy on everyday applications like your web browser and PDF reader.
What's unique about my approach is that I see security through the lens of usability and user experience. A security issue, in my opinion, occurs any time a user relies on a security or privacy property that isn't actually there. Security bugs aren't just incorrect equations or lines of code that need fixing, they also come from the ways your product makes its own security properties hard to understand, and from design choices that make your product hard to use safely. This point of view is baked right in to my threat modeling methodology.
I combine my technical rigor with good "product" sense to see your project from two perspectives at once: I gain a deep technical understanding of its internal workings, and at the same time see it through the eyes of real, hurried, just-wants-to-get-the-job-done, user. This way I don't just point out flaws, I help you figure out how to design your product to work as easily and as securely as possible, for real people.
Because I see the big picture, I can get started right away without being handed a detailed audit scope. I will automatically figure out what matters most to your users, and to your project, and focus my review there. My goal is always to find flaws that have a real chance of hurting real people, and to inform you about how your security processes are failing.
If it's your first time getting an audit, I'll make it easy by figuring out the scope for you. If you already have a mature security program, or are experienced at commissioning security audits, I'll work with you to narrow down how my work will best augment your existing practices.
What I audit, and other services
| Applied Cryptography | Encryption libraries, primitive implementations, protocol designs and implementations. Any software that uses cryptography as a key feature. |
| General Application Security | Web apps, mobile apps, desktop apps. Anything, really! |
| Blockchain & Wallets | Hardware wallets, light clients, consensus code, smart contracts, etc. |
| Threat Modeling | I'll write a threat model that your users can actually understand, distilling the complex security properties of your product into a simple, accurate model everyone can read. |
| Organizational Security | Your organization should have internal security training, out-of-band confirmation practices, code review strategies, and incident response drills. I'll either help you figure all of that out, only recommending high-impact practices that will actually work, or review the practices you already have. Security is a process, not a product. |
| Science & Technology Due Diligence |
Considering making an investment, but unsure if the underlying
technology is legit? I'll dive into the product's technical workings
and roadmap, learning how it works as well as all of the science
behind why it works. Then I'll give you a technical feasibility
report, including bear/bull theses grounded in an accurate
understanding of the science. Focus areas: Quantum, cryptography, blockchain, security and privacy, AI. |
Work Sample
You can get a sense for the quality of my work by looking at my past, public audit reports. Here are a couple of my favorites:
Pricing
I work on a daily rate, generally starting with a timeboxed 10 to 25-day audit, depending on the risks involved and complexity of the design or codebase. I offer reduced rates for open-source projects and open-access research.
How does an audit work?
"Given enough eyeballs, all bugs are shallow," the saying goes. Conversely, if the same set of eyes have been poring over the same designs and code for a long time, it's almost guaranteed that there are some "shallow" bugs going unnoticed.
A security audit is worth investing in for three main reasons:
- Fresh Eyes: An audit provides a fresh set of eyes to look over your designs/code. Fresh eyes, especially from someone learning how your product works for the first time, are more likely to spot problems that your own engineers have become blind to through repeated exposure. It's an opportunity to question the background assumptions the system was designed under, to find and fix problems that put users at risk.
- Feedback: An audit measures the effectiveness of all your security practices leading up to the audit. Did a vulnerability make it into your shipped product? If so, that's an indicator that your security practices can be improved. The audit report gives you real information that helps you improve the way you work, it's not just a list of problems.
- Reputation: By publishing audits you've acquired for your products, it shows technical people that you are taking security seriously and that your products can be trusted. Publishing the audit report is optional, but being open and honest about mistakes, especially when you're actively investing in finding them, is one of the best ways to build trust.
What happens when you get an audit? The basic process is:
- Scoping & Timeline – We agree on which areas of your project need review the most, how long the audit will last, and when it will take place. Audits are usually "timeboxed" efforts, meaning I make the most out of a set amount of time to find as many high-impact issues as possible. You can either leave the scope up to me, or point me at a specific scope to fill in some security gaps you've already identified.
- Security Review – The actual security review happens. I verify that you've correctly implemented your cryptography according to spec, look for vulnerabilities in the specification itself, find subtle mistakes in the most security-critical code, and make recommendations for improving the overall robustness, reliability, and usability of your project. If you'd like a detailed breakdown of my process, I've documented it here.
- Interim Report – Halfway through the audit (or at the end of every week, if you prefer), you'll be sent a draft of the current report. This will let you know about any issues the audit has found so far, and gives you an opportunity to adjust the audit's focus areas given the findings so far.
- Remediation – At the end of the security review phase, you will be sent a draft final audit report detailing all of the issues and recommendations the audit uncovered. At this point, the audit is complete and remediation begins. After your engineers fix the most critical issues, I'll review the changes to ensure the vulnerability was completely resolved. I usually include a couple days of remediation time in audit scope, and that's often enough, but sometimes, when a lot of vulnerabilities are found, the remediation will require billing for more time.
- Final Report – At last the final report is updated to reflect the remediation status of all the issues, we both look over the report for any technical inaccuracies that need to be corrected, and then, at your option, it can be published.
Resources & Assumptions
Usually, you'll make one of your engineers available to answer technical questions about the project, but this is not mandatory; I can usually dive right in to a codebase and learn it on my own without assistance.
Get in touch
Email me at taylor@defuse.ca with a brief description of your project and I'll suggest some ways I can help.
