from Hacker News

Latacora: Security Programs For Startups

by MattRogish on 9/23/16, 8:10 PM with 52 comments

  • by ShaneWilton on 9/23/16, 9:32 PM

    From the HTML source:

      <!-- You can't know whether I'm exploiting a bias in the crappy JS -->
  <!-- RNG to make my name first more often. Hah-hah. -->
  document.addEventListener("DOMContentLoaded", function(event) { 
    var names = ["Erin Ptacek", "Thomas Ptacek", "Jeremy Rauch"].
      sort(function(x, y) { return 1 - Math.ceil(Math.random() * 100) % 3; });
    for(var i = 0; i < 3; i++) { 
      document.getElementById("n_" + i).textContent = names[i];
    }
  });
    It isn't scientific in the slightest, but I ran the function a hundred million times, and Erin seems to appear first about 60% of the time, in Google Chrome.

    Good luck with the company, I hope you can also beat the RNG that makes or breaks a startup :)

  • by djcapelis on 9/24/16, 1:50 AM

    This is great. Someone needed to do one of these, I dabbled in this market with my little one person shop because it seemed so critically underserved, but my constraints were a bit different.

    Some of the challenges I faced in trying to help startups: I needed to be paid in real money, which is tough for a startup. I didn't market myself at all (not even a webpage) which is just neglectful. And finally, surprisingly: frankly I found startups to have the worst legal advice and contracts. All of them went to their lawyers and came back with contracts that looked like employment agreements and frankly included worse terms than most employment agreements. I had my own agreement, but it didn't help much. I had a surprising number of deals fall through because of this. Part of it is I clearly allowed incorrect expectations, and part of it is, I think is if people haven't heard of you they just assume you'll be unrepresented and shocked when you don't just sign their standard "we put whatever we thought would be best for our client" contract and instead asked for a version for a lawyer to redline.

    So frustrating. And for real, most startups didn't need that much of my time, so it became not worth it.

    Instead I had a much better experience with a lot less pain (and frankly more interesting work) working on multibillion dollar public infrastructure contracts (train systems mostly) and focused on those instead. Go figure.

    You'd expect startups to do better in this area than larger companies.

    Thankfully Thomas is well known on the Internet, which I think will help a lot with startups. And it's a better model than what I was doing.

    Anyway! Thanks for doing this! It's a huge unfilled area. Someone needed to and I hope it works well!

  • by tetrep on 9/23/16, 9:10 PM

    Ha, I guess a management role is the natural progression from technical consulting. I love the idea of a middle ground between "we have things people would want to hack" and "we have a dedicated security team." It's great when you can hire security conscious developers, but startups generally aren't know for seeking out nor emphasizing those skills. AFAIK nobody has adopted "Move carefully and write secure code with minimal technical debt."

    A seasoned security team would also be able to effectively avoid snake oil security consultants (no, you really don't need to encrypt the user's password with JavaScript before transmitting it to the server), which are all the more tempting to hire as they're generally cheap (run Nessus, print and deliver report...).

  • by tptacek on 9/23/16, 8:11 PM

    I guess if people are interested and have questions I can try to take a stab at them, but really you'll be having a conversation with three people who have only a faint idea of exactly how this is going to work, since we're still in learning mode. :)

    The next thing I'm actually shipping is the first batch of post-Starfighter challenges.

    The next thing I'm actually writing is "what happened with Starfighter".

  • by richerlariviere on 9/24/16, 5:29 AM

    >Growing a business is exciting. We'd like to make it just a little less exciting for you.

    The second sentence sounds weird for me. Maybe I didn't understand because I don't speak English natively and I missed some kind of humor.

  • by nickpsecurity on 9/23/16, 8:29 PM

    I suggested this exact thing on Schneier's blog to keep security from being an afterthought or too expensive. Great to see a group think of and actually do the same thing.

    Good team for this. The prior experience will help them iterate more effectively into a model that works. Then others can copy it. Or they might even franchise it.

  • by briancl on 9/24/16, 11:11 AM

    Every strong engineering team needs someone with real security chops.. not just someone who can fix SQLi after it's been pointed out, but someone who gets security at the infrastructure level. Someone who gets the why, not just the how. Not every team has that person or that person can't devote the time to play that role.

    With a few good references and strong VC/Accelerator connections, this boutique consulting business should do fine. The question for me is how much pain is there on the board/founder (the key influencers/buyers of the service) compared to the cost of the services... or the risk of doing nothing.

  • by lifeisstillgood on 9/23/16, 9:12 PM

    Preamble :a lot of agencies (Im thinking postlight) act as "hire us for three months to get the idea off the ground" - they try to take away the headache of not having actually hired a good team yet.

    Question: Are you part of a fracturing of this? That people could hire you for security, postlight for front end, someone else for ecommerce / payments etc. I think I am asking is the postlight model distrusted, is hiring your style of team easier to fit around a growing team. What is the gap in the market you are seeing?

  • by lifeisstillgood on 9/23/16, 9:00 PM

    I am working with a small startup as their "technical advisory board" - clearly not as security minded as here, but the goal is the same, to take a brain dump from me and use it as a framework for the next couple of months of work.

    I like this idea, and hopefully it's self selecting. People who won't listen to good advice won't hire you in the first place !

  • by purpledragon on 9/23/16, 8:40 PM

    How does this business scale without affecting quality?

    Why is the birth of this particular (small) security consulting firm more newsworthy (in contrast to all of the others that have popped up)?

  • by mxuribe on 9/23/16, 8:40 PM

    This sounds like a great idea! Kudos and best of luck!

  • by vemv on 9/23/16, 10:55 PM

    Might be good to mention what programming languages do you work with, as security is quite coupled with application code...