Security Engineering
Why we do this
Security attracts a lot of different types of people, some love the puzzles, others are very curious and some just want to prove they are the smartest. We understand that, but it isn’t what drives us.
We do this because every unpatched vulnerability, every misconfigured tenant, every piece of code that ships with a security hole makes the internet less safe for everyone. Not just for the organisation we’re testing, but for all of us. We’ve been around long enough to see this play out time and time again, in ways that have caused genuine harm. And so many of these incidents were preventable, caused by problems could have been caught by a fresh set of experienced eyes.
We want a more secure, less vulnerable internet. That’s all. That’s why we examine rather than just attack, why we don’t just tell you what’s broken but also how to fix it and why we come back to verify that the fix worked before we consider it job done.
What we do
Building things the right way and helping others do the same.
Secure Code Review & Testing
You've written thousands of lines of code, its finally working exactly how you want it, but is it secure? Are you sure you caught all of the vulnerabilities?
The best way to prove to your clients, the regulators, or yourself that your code is secure is to have an independent third party review it. We can do that for you.
Secure Software Development
Writing code is one of our favourite things, we do it in our free time for fun! If you have an application in mind we can take it out of your imagination and onto your system. We can also help you upgrade and implement new features on your existing codebase.
Penetration Testing
We work with you to find your organisation's weaknesses, but we don't just tell you what's wrong. We offer solutions for the things we find, and if we have advice on how to improve your security posture over all, we'll share that with you too.
Security Policy Audit & Assessment
NIST, ISO 27001, Essential Eight, CIS Controls ... There are a lot of security and privacy frameworks out there. We can help you understand which ones apply to your organisation, and help you get compliant.
Services
Creating a More Secure &
Less Vulnerable Internet
With over fifty years industry experience, we’ve seen what good and bad testing looks like at every angle.
Secure Code Review
We go beyond automated scanning by examining your code and tracing the data from where it enters the system to where it can do damage, ensuring that the necessary controls are in place.
The flaws that matter most are often invisible to scanners and only reveal themselves when you understand what the application is supposed to do, and where the framework behaviour and business intent don’t quite line up
We know the difference between something that looks secure and actually is. When we find something that isn’t, we tell you exactly what needs fixing and why. We won’t sign off until we’ve verified the fix holds.
Azure M365 Policy Auditing
Azure and M365 environments are governed by hundreds of configuration decisions that define what your environment allows and who can do what. There are so many options and settings that its easy to get lost in the weeds.
We inspect your environment against the Essential Eight and broader security best practice, identifying where your configuration creates exposure; be that overpermissioned accounts, gaps in conditional access, or settings that look right on paper but leave you vulnerable in practice.
We will advise you on how to best close the gaps. After you have resolved the issues we’ll validate that the changes have landed the way they were intended to.
Penetration Testing
Penetration testing isn't one size fits all. We'll work with you to understand where your actual exposure sits, so we're testing what needs testing rather than just running through a checklist.
We prefer white box testing, which means we go in with context: your stack, your architecture. By understanding your environment we can poke and prod more intelligently, targeting observed potential cracks and weak points rather than taking a scattershot approach.
We document everything we find along with how we'd approach fixing it, and share that with you as a draft before anything is finalised. Once you've addressed the issues, we come back and verify they've been resolved.
Get In Touch
If you have a security problem, or just want to chat about how we can help you, please drop us a line at team@capybarasec.com.
We are always happy to have a no obligation chat about your needs, and how we might be able to help.
