18. Long lines, high prices
Development growth outpaces
assessment talent
Large knowledge gap between
parties
19. Low barrier of entry for developers
permissionless participation, innovation in all directions, tutorials everywhere
Few quality on-boarding resources for security engineers
What are the types of things only a human can find?
Culture of BUIDL
How many projects have dedicated security engineers?
Slow traditional security adoption
Over-hyped public narrative, new technology, rampant scams
Development growth outpaces
assessment talent
20. Developers don’t know what security firms want
Scope definition, relative risk
Rapid pace of innovation
Keeping up with current innovation is a lot of work
Poor internal security resources
How many projects have dedicated security engineers?
Large knowledge gap between
parties
24. Start early, write it down
Documentation
Define a process
Open source tooling and standards
25. Specification
NatSpec, user stories, TLA+, invariants, assumptions
Threat modeling
Identifying risk, their controls, and who has access to them
User documentation
Tutorials, run scripts, installation docs, faq
Best practices
Identify what you’re using w.r.t. Best practices, and how you deviate
Documentation
26. Low effort
Linter, static analyzers, call graph generation
Medium effort
Fuzzers, simulations, modeling
Heavy effort
Formal verification engines
Tooling
27. Plan
Plan out what you’re building, get a sanity check, evaluate risk
Build
Use tooling to constantly check for low hanging fruit, CI/CD, unit tests
Check
Evaluate cost vs risk, get internal reviews
Define a process
29. The road to not sucking
Write an RfP
Track and disclose results
Shop
30. Define
Who you are, what is the project goals, all relevant resources
Scope
What is to be reviewed explicitly, relevant skills needed
Set expectation
How long, budget, deliverables
Process
How to contact, what to include in a bid, selection criteria, propose fee
structure
Write an RfP
31. Distribute the RfP to relevant parties
Official communications, direct emails, social
Negotiate
Ask for justification of services if needed, query differentiating factors, ensure
firm resources and timelines
Choose one or more that fit appropriately
Develop an audit plan based on submitted proposals
Shop
32. Make sure you input key findings in your workflow
The easiest way to track is to just incorporate findings into what you already do
Keep track of their progress
Make sure you actually utilize the wisdom learned from what you’ve paid for
Broadcast fixes, write post-mortems
Tell people what you’ve done, and what lessons you’ve learned along the way
Track and disclose results