# Hello TestifySec! ## Mission TestifySec was founded to secure cloud, edge, and on-premise IT and OT systems. Our team is comprised of the best engineers practicing in Zero Trust Architecture, Supply Chain Security, and Policy as Code. We develop products and services that enable organizations to mitigate against complex cyber security attacks while overall increasing organizational efficiency. ## Vision Our vision is to secure the world's most critical infrastructure with an expert team of engineers, project managers, and innovative products. # DevSecOps is a Core Technical Skill Set DevSecOps is the integration of security into both development and operations. Organizations must mature in the following categories to implement DevSecOps at an organizational level. Our team's core technical capabilities align with these concepts - Zero Trust, Supply Chain Security, and Automated Governance. ## Zero Trust Architecture Zero Trust Architecture is a design principle that uses identity, control, and policy as perimeter security instead of firewalls and ACLs. Our team contributes to critical open source projects, holds patents in zero-trust architecture, and has influenced and implemented Zero Trust Architecture at some of the world's largest and most influential organizations inclding the DoD, major utility providers, and large financial instituations. ### Identity Identity is the cryptographic proof of a workload or user's attributes. These attributes may include what physical machine the user or workload is on, the SHASUM of a container or a x.509 certificate loaded on a hardware token. Concrete examples of identity documents are JWT and x.509 certificates. In ZTA, security controllers must verify the identity of each agent requesting a resource. ### Policy We define policy as the the organizational constrainsts placed on a IT/OT system. In traditional systems, when an administrator requests change, that change is manually compared against paper-based policies. With Zero-Trust Architecture, organizational policy about how users and services are allowed to communicate in a system is encoded as data in a machine-readable document. These policy documents are distributed throughout the system and consumed by controllers who make policy decisions when requests for resources such as database connections, REST requests, or file share requests are made. This construct enables organizations to perform audits of systems continuously, reducing compliance burden while increasing both security and agility. ### Control We define control as the pieces of software that grant access to various resources. Security controllers can come in the form of proxies, middleware, admission controllers, etc. We use security controllers to take identity, policy documents, and optionally external resources and make decisions about requests to network resources. ## Supply Chain Security Supply chain security is the foundation of workload identity. The materials that go into a software artifact define its unique identity. Inspection, inventory, and approval of the materials for a software artifact are essential to understanding the overall risk level. Our team is at the forefront of supply chain security research. We have contributed to the Supply Chain Security Best Practices paper. Our open-source contributions are used at places like Google and Microsoft to secure their internal infrastructure. Our methodology uses strong attestations of both the build environment and materials used to create a secure software artifact and SBOM containing build meta-data. Whether your organization is protecting a nuclear missile, a bank database with billions of assets, or are a software supplier trying to understand new compliance rules to sell into the federal government; we have your back. ## Automated Governance (Policy as Code) In the practice of DevOps, IT systems change multiple times per day. This conflicts with periodic security evaluations of these systems. In an uncontrolled or loosely controlled DevOps system, Attackers, administrators, or developers may introduce harmful changes into the system. These changes may affect operations or security posture. Manual security reviews of software and configuration changes often miss details that could result in a system vulnerability. Manual security reviews are expensive, slow, cumbersome, and not perfect. In our methodolgy, we build controllers and policy documents that automate security tasks. Automated governance will give your organization the confidence to increase release cadence while maintaining compliance. Increased release cadence will allow you to release features and security mitigates into your system faster. We have experience integrating with most major platforms such as JIRA, ServiceNow, GitHub, and GitLab. # How we serve our customers Our engineers and project managers follow a 5 step process to ensure success. **1. Discovery** Our team of architects will meet with your security and engineering team to understand your business concerns and risks. **2. Assessment and Architecture** As a product of the discovery phase, our team will deliver an infrastructure security assessment and draft architecture. **3. Delivery** Our team of engineers and partners will be ready to deliver the architecture in an agile manner. We have years of experience delivering on projects while working remotely. At no point will you not know the status, successes, and challenges of the project. **4. Sustainment** Upon completion of the initial scope of work, TestifySec will provide a sustainment plan for your organization, including training packages, dedicated support contracts, and future opportunities and risks. **5. Custom Software** Our team will lower your overall management cost by developing custom software that allows your organization to manage their network, user, and workload security like the big tech companies. TestifySec is your competitive advantage. # We are ready We are ready to serve your organization. If you need a verifiable SBOM for your application, app sec consulting, infrastructure modernization, or custom security automation and integrations, please email us or call us for a free consultation.