Gold Fig Blog
Empathy for customers in the infosec space
Since we’re now hiring at Gold Fig, I wanted to talk about one of the values we included in the job requirements: empathy for customers.
It has been my experience that, especially among the security community, there is a tendency to look down on…
"Identity Is The New Perimeter": What's new, and what was the old one?
Another round of de-mystifying security jargon: “Identity is the new Perimeter”. This one can, depending on your age, either seemed like a major change or seems super obvious.
The Perimeter being referenced is the security perimeter that you are…
Zero Trust: Why You Should Trust No One
If you’ve been following trends in the security industry, you’ve undoubtedly come across the term “Zero Trust”. It’s just over a decade old, but is currently experiencing a resurgence.
The term can be understood to apply fairly broadly (e.g.…
Infosec and security checklist roundup
Staying on top of all the latest infosec and security best practices can be daunting. While services are now beginning to default to more secure configurations, there are still a slew of places where the onus is on the end user to ensure that security is…
Carrying the torch of the Sqreen SaaS CTO security checklist: infosec basics for startups (part 4)
At Gold Fig we are strong proponents of the view that the highest ROI activities around infosec are staying diligent and persistent around the basics. Security has a notoriously broad surface area. When given easy to act upon and actionable insights,…
Making sure the things that aren’t supposed to work ... don’t work — negative testing your cloud infrastructure and app
When getting cloud infrastructure set up and functioning, developers will go through a slew of steps before it reaches production. This could include IaC, static analysis tests, and ensuring that analytics and monitoring are properly instrumented. While…
Shifting left is an antiquated way to think about security in a cloud-native world
Once upon a time you needed to hand-tune and architect infrastructure to performantly serve static assets at scale. However, now, getting started with a CDN or storage buckets is as easy as can be. Many services completely abstract away such concerns…
Mediocre persistent threats: infosec basics for startups (part 3)
Unless you’re an extremely high value target, advanced persistent threats and exotic attacks aren’t a startup’s concern. Diligence around securing the basics of your cloud infrastructure settings is the highest ROI engineering activity you can…
Mediocre persistent threats: infosec basics for startups (part 2)
Most “start here” for infosec guides begin with an exercise in assessing and enumerating the threats and risks. However, for most startups there isn’t a clear answer here. Unless you’re a high-value target attracting focused attacks the main threat to your…
CSPM (cloud security posture management) and where it fits within your infrastructure
Cloud and other B2B infrastructure providers are notorious for creating a new and never ending stream of buzzwords and acronyms. As things progress the marketing speak muddies where it fits and who it applies to. However, as with all things they start with…
Linting cloud infrastructure (part 2)
In our last blog post we introduced the concept linting through the prism of infrastructure-as-deployed and went over three simple example queries. Continuing our series on linting your cloud infrastructure, we’ll go over three new queries of successively…
Cloud infrastructure linting even if you aren’t 100% IaC
Linters have a long and enduring history in software. From their origins in late 1970s to the present, they’ve caught things like programming errors, confusing formatting, unsafe functions, and everything in between. The static analysis approach lends…
Understanding Infrastructure-as-Deployed
Engineering teams are steadily adopting a “cattle, not pets” attitude towards infrastructure. Cloud providers are enabling easy-on, easy-off services. As a result, churn in production deployments has become a fact of life. Engineers have begun to apply the…
Introducing rpCheckup - Find Backdoors and Public Access In AWS Resource Policies
AWS' policy language is notoriously challenging. As you build out your infrastructure, you commonly run into situations where two components ought to be able to communicate, but can’t. In an attempt to unstick your development progress, you reach for…
When should my startup prioritize infosec?
If you imagine your organization as a sea-faring vessel, infosec’s goal is to ensure the boat can survive krakens or canon-wielding pirates and successfully complete its journey. If you ignore the existence of sea terrors, you may not make it to your…
Do The Basics First - What To Check Before Launching on AWS
How do engineers make the seemingly-obvious mistake of opening their infrastructure to the world? Usually, with the best of intentions. When you’re building out your infrastructure, you tend to accept the first set of permissions that makes things “just…
Our Philosophy
No one doubts that security is important for cloud infrastructure. The potential for harm to your business, your customers, and your reputation is real, and that potential increases with your business’ success. And yet, customers will not reward you for…
