Secure Development

Our focus is on quality! Solutions we produce are often expected to stand the test of time and to have excellent reliability and security. Our customers expect us to question suggestions and come up with a better solution if there is one. That means that we can spend more time in the initial development and in the end save money for our customers by not having to constantly patch bugs while keeping our developers happy by working on interesting problems.

Our team typically consists of people with a mix of interests such as:

• Security
   - Our obvious common interest, but there are many specific interests within. Some like web security, some like information security and some just thrive on nailing down that narrow path of valid input required for the system to accept the request.
• Programming languages
  We often develop in modern C, C++, C#, Java, Go and Python. It will be possible to have an interesting discussion and probably find assignments in for example Rust or Haskell or pretty much any other language as well. We try to focus on using the right tool for the job.
  
• Distributed systems
  - Making a system work and be consistent under load is different from that quick proof of concept.
  
• Cryptography - Ranging from choosing and reviewing the right encryption algorithm for storing data to implementing secure protocols or White-box cryptography.
  
• Identity and authentication - We often focus on authentication of both users and systems and have utilized a wide range of identity systems as well as built bespoke ones for our customers.
  
• Hardware and IoT - If you are interested in securing or breaking embedded software or IoT solutions we do that as well. Both looking at electronics and the software powering the products.

If you join Truesec you will have colleagues that would argue that the year of the Linux desktop was 1991 and prefer terminals and clean C code, while others will comfortably navigate the latest Visual Studio preview or AWS interface. Quite often they are the same person.

Becoming a defender by thinking like an attacker

At Truesec we constantly try to break our own creations. Our software projects use mandatory code reviews, where the focus is always learning and improving and never one-upmanship or box-ticking. If the development process or current best practice can be improved, we embrace change, after a healthy discussion among colleagues.

Through the years we have developed strategies for secure development and reducing defects, both security-wise and in functionality. Security bugs are just like other bugs in the sense that the application should do what it is supposed to, and nothing more.

Modern software is complex, and it is easy to lose focus on what is important. We encourage using threat modeling at the appropriate detail level and prioritize risks based on the threat model.

that we can spend more time in the initial development and in the end save money for our customers by not having to constantly patch bugs while 

We prefer to find vulnerabilities in the development stage and reducing attack surface over vulnerability patching and incident management.

Security as part of the software development lifecycle.

We develop and maintain distributed systems and mobile application components with very high-security requirements. We work with established standards, such as OWASP Application Security Verification Standard and CWE/SANS Top 25.

Not just yet another ticket to implement…

We are picky with the projects we choose to design and develop for. The longer-term project must be technically interesting and have high-security requirements so that we can perform our craft.

Not only do we help create state-of-the-art secure applications, but also review systems and increase the security level of existing applications. As a member of our development team it is possible to see and review a wide array of customer systems and implementations.

We most often do such assignments in pairs or more, making it possible for you to learn and teach technologies on the job both colleagues with different experiences and areas of expertise and from the customer's.