A Decade of Enabling Security-By-Design for Emerging Technologies

In January, we celebrated the 10-year anniversary of our first ever published security audit report. At the time of our first review, security consulting for privacy-enhancing and distributed technologies was a fledgling industry, and there were very few companies, like us, offering our specialized knowledge and expertise for security analysis services. SpiderOak chose us to perform an audit of their new Crypton.io framework because we also happened to be running our own secure storage service called S4 (replaced now by PrivateStorage). After that review, we went on to perform security audits of internet freedom tools supported by the Open Technology Fund and then ventured into blockchain technologies with our Incentive Analysis for Ethereum in 2015. Shortly after, we entered the public space of zero-knowledge proofs (ZKPs) as Zcash was launched, and opened a new path for the use of ZKPs, along with their need for specialized audits.

We learned a great deal from this initial experience and are proud to say that in the decade that has passed, we have conducted more than 225 security audits. Perhaps more significant is that we have published more than 100 of these reports. Most recently, we began our next chapter of pioneering where and how these reports are published by investigating the use of blockchains to support further decentralization and use of the security information in these reports. And as the paradigm of our online interactions change, we are also expanding into Privacy Reviews and the territory of Artificial intelligence (AI) / Machine learning (ML) technology. To sum up, our reputation as a security consulting firm working with emerging technologies has and continues to grow. 

Our formula for conducting reports is key to our consistency and accuracy. Our engagements typically begin with the initial communication we have with a prospective client in the estimation phase, then often lead to rich discussions and exchanges with the client about the audit during the review phase, which, at times, extend even after the verification phase and delivery of the final audit report. Auditors are not simply assigned based on who is available at the time and when the next report is due. They are given the opportunity to engage in audit work based on their experience (e.g., code language) and projects that they find interesting or even personally important. As a mission-oriented company, we do not see an audit as just a source of business; we see it as a way to contribute to the advancement of important and disruptive technologies. While no audit is a guarantee that all vulnerabilities have been found, by engaging our diverse and extensive expertise, we can help reduce the risks and increase the knowledge shared in the process. As supporters of privacy as a human right, we know that security is fundamental to confidentiality, and we encourage security-by-design through our security consulting efforts. 

In addition to supporting the secure development practices of other teams with audits and promoting the sharing of security information by publishing audit reports, we also encourage community building through our collaborative approach to client engagement. One-third of the audit work we conduct is for clients who have previously worked with us. In follow-up surveys, our clients report that the top reasons for returning to us is due to our professionalism, our ability to customize the scope of the work to be completed, and our on-time delivery. Each of these reasons demonstrates our commitment to adding value to the progression of emerging technologies in partnership with our clients. 

Looking back on the past decade, we take pride in our role as pioneers in security consulting for privacy-enhancing and distributed technologies. Since our inaugural audit, we have consistently set a high standard for transparency and professionalism.

We invite you to review our recent blogs for a comprehensive look at our latest developments and contributions to the ever-evolving security world of digital security and privacy.