I'm an independent security strategy, architecture, and design consultant. I'm not actively looking for anything full-time, but get in touch if you've got something special. I'm also available as a public speaker.
I have a Patreon, here, where you can subscribe to support my security and systems-focused writing. You sign up for a fixed amount per essay (with an optional monthly cap), and you'll be notified every time I publish something new. At higher support levels, you'll get early access, a chance to get in-depth answers to your questions, and even for more general consulting time.
© 2021 Eleanor Saitta.
Whether your organization is just starting to think seriously about security or you have an experienced team that needs an extra hand, I can help you solve problems and create better outcomes for your users.
I focus on security and privacy strategy, security architecture and engineering, product security design, threat modeling, engineering process change, and operational security work. While I've got a wide range of experience, I'm not a generalist — if you need someone to do a penetration test, code review, or configure your firewall rules, I'm happy to help you understand exactly what you need and put you in touch with teams who can help you.
I've been working in application security since 2003 and doing research around threat modeling and security architecture since 2004. In 2012, I moved to the NGO sector and started working with high-risk teams, looking at operational security, cross-domain challenges, and the specific demands of high-risk and decentralized systems, and in 2016 I brought those skills back to the commercial world. Over the past decade-and-change I've worked for a number of the best-known boutique security consultancies in the business and done projects for Fortune 500 companies, early phase start-ups, NGOs and media organizations working in conflict regions, and everything in between. For more information on my background see here; for my resume, see here. References and rates are available upon request.
An organization's security and privacy strategy frames how they think about and plan for better finacial and risk outcomes for the organization, and better life outcomes for their users. This shapes design and governance structures, risk analysis, planning and prioritization, staffing, high-level posture choices, interactions with compliance, and the kinds of security architectures they attempt to implement. Together with architecture work, strategy forms the bulk of the work I do for clients now.
The security risk landscape is changing quickly, and the GDPR has changed the stakes of privacy compliance. If you're an early-stage start-up struggling to understand how and when to even think about security and privacy, I can spend a few days with you and help you avoid the kind of costly mistakes that can make the difference between success and failure. For more established teams that are starting to make security hires but don't have or necessarily need an in-house CSO, I can work with you to backfill a proper security footing and then provide ongoing guidance. For large organizations, I can provide an external viewpoint, especially if you're in the middle of rethinking your approach to security and privacy, or drive strategy for specific projects.
Clients often come to me knowing that they have a specific security problem their infrastructure needs to solve or a set of requirements their software needs to meet that they don't know how to accomplish. Other times, they have a solution they think works (and may have already even shipped), but which they aren't confident in. I work with teams to understand what they're trying to actually accomplish in their world, what the constraints of their business or mission, their operating environment, schedule, and technical capabilities are, and help them re-engineer their system so they can have confidence that it will meet their goals.
Product security design is the process of determining what kind of system, which security properties, and which participation or behavior structures will allow the people using the system to accomplish their goals in the world, given their adversaries. If you're delivering systems where security is a high-stakes issue, I can work with your design team from day one to ensure that the application you design will deliver the security outcomes the people your system serves need. In particular, I'm interested in helping teams eliminate abuse vectors and provide users with tools to protect themselves, in defensive system design for fraud in ecommerce systems, and in communication, affordance, and security invariant co-design in secure communication and operations enablement tools.
Threat modeling is the core of the software security lifecycle and it's where you determine if the system you've designed and architected can deliver on its security requirements. Threat models also let you catch otherwise expensive requirements-level vulnerabilities much earlier. I can build a threat model for your application from scratch, or improve and formalize the model you already have. If you bring me in early in your requirements process, this threat modeling effort can significantly reduce the cost and churn of delivering a secure application.
No engineering team is either perfect or static. If you're looking to shift the way your team practices their craft, whether the shifts are specifically about changing the culture or process of security and privacy, or are more general — moving to a more agile development footing, implementing continuous integration, bringing tighter, devops-style collaboration between teams, or adding the process and rigor required to meet compliance demands, I can help you understand how to drive both process and culture change.
If your organization has adversaries, you need to think about how you reach your goals and balance risk and efficacy. Regardless of the context you work in, I can help you find that balance for both digital and non-digital operational security.
It's important to bring skills in-house, and I can help your team learn how to use and create threat models and how to work with the security design process.