GlitchSecure

Embracing Transparency: Open Book, Open Minds

2025-04-27T00:00:00+00:00

Embracing Transparency: Open Book, Open Minds

Tired of feeling like just a cog in the machine? What if instead businesses were built on a currency of trust and transparency? One where each individual is empowered to think like an owner–all striving to make the processes cleaner and more productive. This approach would cultivate an environment of trust, producing new ideas and creative solutions while driving growth in both the business and its people

At GlitchSecure, we built our business around these principles. Transparency isn’t just a buzzword—it’s how we hire, grow, and operate. Every team member has a front-row seat to the decision-making process, seeing exactly how things get done. No closed doors, no secret strategies—just an open, collaborative approach to building something better.

Transparent Salaries and Financials

To give an example of what we mean, let’s talk about one of our most eye-catching examples. One of the foundational elements of our transparent culture is our approach to salaries and financials. We believe that everyone deserves to understand how compensation is structured and what drives financial decisions within the company. By standardising salaries and making financial information accessible to all employees, we build an environment of trust and collaboration. Our team can see how their efforts directly contribute to the company’s success, reinforcing our shared commitment to achieving our goals together.

We eliminate arbitrary scorecards and set clear expectations from the start. All employees know each other’s take-home pay, creating a level playing field and reducing incentives for drastic pay gaps between the CEO, developers, and marketers. This approach builds a sense of equality within the organisation and helps eliminate jealousy. We encourage individuals to take ownership of their work while defining expectations and direction. This removes uncertainty while giving people room to grow and succeed. We feel that when each employee plays a part in crafting their role, they find motivation to accomplish more and build a stronger company together.

Big-Picture Business Decisions

Transparency extends beyond numbers. We have grown accustomed to the image of an all-powerful CEO figure, diligently leading the corporation onward with big ideas. But the direction of the company doesn’t have to be steered by one or a handful. Individuals’ opinions should matter just as much as the other. Each of us should have a hand in navigating the ship and paving a road for the future of the company.

We, at GlitchSecure, hold weekly get-togethers where the entire team is invited to voice their opinions on a variety of issues, concerns, and ideas. Should we look to integrate this new technology in our system operations? Can we leverage the next big conference to get more exposure for our company? What type of benefit packages should we offer all of the employees? Each and every individual is offered an opportunity to have a voice in conversations like these. A good example of this was our conversation around outside investment. We held several all-company meetings where everyone could discuss the benefits and drawbacks of the offers and share their perspectives. Together, the options were weighed and the result was a strong deal that every team member was in support of.

A Culture of Communication

Our commitment to transparency also reflects in our communication practices, particularly in our interactions with customers. We default to recording meetings with clients, allowing us to reference discussions in the future and share insights with team members who may not have been present. Each client is given direct access to our team for questions and support for the entire term of their contract. This allows us to quickly relay information about assessment updates and potential vulnerabilities.

It’s not a secret that managing a fully remote team can be challenging, especially when asynchronous chats may not be read until hours later. But we try to turn this to our advantage and use this approach of continuous and public conversation to keep everyone informed regarding all aspects of the company. This system reduces friction while all employees are welcome to take part in each conversation.

We maintain a wiki-style company handbook that outlines our policies, processes, and approaches. It’s a living document, continuously updated and refined, with every employee encouraged to contribute—whether by making corrections, adding missing details, or suggesting improvements.

Drawbacks and Downsides

Up until now, we’ve been painting a rosy picture of transparency within our company, but this approach isn’t for everyone. We’ve intentionally built a small, competent team where transparency works because everyone is deeply involved in the big picture. But as a company scales, implementing this level of openness may become increasingly difficult. Larger organisations with heavily siloed verticals often rely on top-down decision-making, which can create barriers that transparency alone won’t remove. That’s not to say big companies can’t embrace aspects of this model—just that full transparency isn’t always practical at scale.

Another challenge lies in security. While customer data and other sensitive information are protected, full internal transparency means company operations, processes, financials, and even proprietary software repositories are open to all employees. This creates a different kind of risk—one that requires trust and strong hiring practices.

That said, our approach isn’t about gatekeeping information—it’s about building strong teamwork. As security-minded people, we don’t rely on “security through obscurity.” Instead, we double down on trust, clear communication, and a culture where transparency fuels collaboration rather than becoming a liability.

Looking Ahead

As we move forward with new investors and explore new opportunities, our commitment to transparency and openness remains unwavering. We aim to attract like-minded individuals who see value not just in growing the business, but in growing alongside it. We want our team to feel comfortable in their work, confident in the people around them, and satisfied by the knowledge that their contributions matter.

Transparency isn’t just about openness—it’s about trust, accountability, and creating a workplace where people understand the motivations behind every decision. It’s also about questioning the status quo and challenging conventional wisdom. We don’t accept “that’s just how things are done” as a valid reason to move forward. Instead, we encourage a mindset where asking “why” becomes second nature, ensuring every decision has purpose and value.

By building an environment where differences are embraced and ideas are valued, we inspire individuals to think like owners. This mindset drives innovation, encourages creativity, and helps us build a stronger, more dynamic business. Our goal is to prove that transparency isn’t just an idealistic experiment, but rather a sustainable, competitive advantage that creates a better, more fulfilling place to work.

We believe the real opportunity lies in rethinking what it means to lead and build together. Sharing openly and building trust creates the foundation for something that lasts. The future belongs to companies willing to bet on their people.

GlitchSecure Raises $2M

2025-04-14T00:00:00+00:00

This post was orginally published on EIN Presswire

Winnipeg, Manitoba – April 14, 2025 – GlitchSecure, a Winnipeg-based security testing company, announces the closing of a $2 million CAD Seed funding round. The round was led by BDC’s Seed Venture Fund, with participation from the TinySeed syndicate. This is the first investment in Manitoba for the BDC Seed Venture Fund and marks an important milestone in GlitchSecure’s journey to reshape how organisations approach cybersecurity by replacing outdated, reactive measures with continuous, proactive testing solutions.

Founded in 2022 by Jade Null, a self-taught ethical hacker and penetration testing expert, GlitchSecure is tackling a growing vulnerability in the cybersecurity landscape: the primary reliance on annual penetration testing. These infrequent assessments provide a limited snapshot of an organisation’s security posture. In the rapidly evolving threat landscape, vulnerabilities can emerge and be exploited within hours, leaving organisations exposed to significant risks, including data breaches, financial losses, and reputational damage.

“Application security is no longer a once-a-year checkbox. We’re helping companies shift from reactive defence to proactive resilience.” said Jade Null, CEO and Founder of GlitchSecure.

Building a People-First Startup

GlitchSecure is built around its people; this looks like a true commitment to core values of transparency, respect and fair compensation. Salaries are clearly outlined and made public to ensure fair compensation along the journey. As part of the funding round, a meaningful ESOP plan that matches combined investor ownership was created to ensure that when the Company wins big, the employees who built it share in the rewards.

Over the course of 2024, GlitchSecure has grown to ten team members across Canada and the US who are a collection of incredible hackers and folks who are passionate about the mission to secure the web. While a remote-first company, GlitchSecure is based in Winnipeg and will be opening an office over the coming months as a hub for local and visiting team members, as well as the Winnipeg cybersecurity community.

Securing the web

GlitchSecure helps software companies who are constantly shipping new code on their web apps stay on top of vulnerabilities. The platform provides continuous visibility into vulnerabilities and remediation support. This empowers the average DevOps professional to stay on top of vulnerabilities and foster a culture of security within an organisation. Since launch, GlitchSecure has served early-stage startups and larger, enterprise customers, showcasing the Company’s flexibility to scale with and complement the customer’s growth journey. Customers value the comprehensiveness of vulnerability testing alongside the true passion of the team who are always there to help.

The funding will be used to fuel GlitchSecure’s product development, expand its team of security experts, and accelerate its go-to-market strategy. The company is also committed to building a strong community of ethical hackers and security professionals.

About GlitchSecure

GlitchSecure is a Winnipeg-based cybersecurity company founded in 2022 by Jade Null, now bolstered by a team of ethical hacking experts. The company’s mission is to provide organisations with the tools and expertise they need to achieve continuous security and stay ahead of cyber threats. GlitchSecure’s innovative platform combines real-time security testing with expert guidance and remediation assistance, empowering businesses to build a culture of security.

Interested in learning how GlitchSecure can help you identify and remediate vulnerabilities? Book a call with the founders by visiting glitchsecure.com/intro.

Why Your AppSec Strategy Needs Continuous Testing

2024-08-26T00:00:00+00:00

Why Your AppSec Strategy Needs Continuous Testing

If you’re running a business with any kind of online presence, you’re probably already familiar with penetration testing and vulnerability assessments. While both do assist your application security (AppSec) team in identifying system weaknesses before attackers can exploit them, they also fall short in adapting to today’s application development practices. Modern development typically occurs over two-week “sprints” before new code is pushed to production. It takes only about 15 minutes after a new service or application goes live for an attacker to begin probing the environment. With point-in-time penetration testing performed only once a year, it could take just a couple of months for new vulnerabilities to be introduced. Vulnerability assessments on the other hand, are automated but require tuning and are most effective at testing individual components, not applications as a whole. They also tend to cause “alert fatigue” with their high false-positive rate.

For this reason, we want to introduce a third choice. Something that captures the best of both worlds plus some extra benefits: continuous testing.

What is Continuous Security Testing?

Continuous security testing is the ongoing process of evaluating your application for security vulnerabilities. It combines automated assessments with manual testing to provide comprehensive coverage and depth. The best part is that continuous security testing is designed to keep up with rapid application development cycles and frequent deployments.

At GlitchSecure, our continuous testing service integrates a variety of commercial and custom tools to identify vulnerabilities and correlate their results to capture the full scope of your application. We then follow this up with a manual review to verify findings and eliminate false positives. We like to be proof-positive, which means that we only report on things that our assessment team can actively exploit. This approach allows us to provide your team with actionable insights and clear guidance on where attackers might be trying to get in.

What Continuous Security Testing can do for You

Continuous security testing combines the benefits of penetration testing and vulnerability assessments, along with some additional advantages. Let’s dive into what those extras are:

Ongoing Visibility: Unlike annual penetration testing, continuous security testing provides ongoing visibility into your environment. This enables you to identify and address vulnerabilities as they arise, rather than waiting for the next annual test. This ongoing visibility allows your team to be proactive, rather than reactive, in detecting and remediating issues.
Reduced False-positives: Continuous security testing tools are tuned to your specific application instead of applying a generalised, “one-size-fits-all” approach. By combining automated tools with manual review, continuous security testing significantly reduces the noise of false positives that often plague vulnerability assessments.
Comprehensive Coverage: Continuous security testing offers broader coverage of scenarios and attack vectors compared to point-in-time assessments, giving you a more complete picture of your security posture. On top of that, the dynamic nature of continuous security testing allows it to adapt to nearly any environment. This means that as your systems or environment change, your testing evolves with them.
Cost-Effectiveness: By leveraging a managed continuous security testing solution, you gain the benefits of multiple commercial application security tools at a fraction of the cost. Additionally, automating the bulk of repetitive testing activities means that continuous security testing can be more cost-effective in the long run, while catching vulnerabilities early reduces the risk of costly breaches.
Ease of Use: What our customers appreciate the most when leveraging our continuous security testing solution is the ease of use. Many of them had already purchased a tool for internal use but quickly discovered how challenging it can be to set up properly. Initial configurations, scan frequency, and finding verification often required a full-time engineer just to manage the system. With our out-of-the-box approach, we handle that for you. This way, you receive all the benefits and insights without losing valuable resources in the process.

For our solution, we found ways to integrate well-known tools like Acunetix, Burp Enterprise, OWASP ZAP, Nuclei, and Nessus. If you’ve worked with any of these tools before, you know how much the results can vary from tool to tool and environment to environment. By diligently combining these systems, we’ve developed a service that not only delivers more results than any single tool on its own but also better identifies real, exploitable vulnerabilities.

How Continuous Security Testing Fits into Your Security Strategy

To understand how continuous security testing fits into your broader AppSec strategy, think of it like going to the dentist: Your annual pentest is akin to visiting the dentist’s office every 6-12 months. During that time, the dentist provides a thorough cleaning to keep your teeth happy and healthy. However, you still need to brush and floss daily, and that’s where continuous security testing comes in.

Use continuous security testing and penetration testing together to apply a layered approach. This combination provides a more comprehensive risk assessment, balancing frequent, automated checks with in-depth, manual analysis.

Taking the Next Step

By incorporating continuous security testing into your AppSec strategy, you can keep pace with rapid development cycles, catch vulnerabilities early, and maintain a robust security posture. At GlitchSecure, we’ve seen firsthand how continuous security testing can transform an organisation’s security approach. It’s not just about finding vulnerabilities; it’s about building a security-first culture that can adapt to emerging threats.

Ready to take your security to the next level? Let’s chat about how we can tailor a continuous security testing strategy to your specific needs.

GlitchSecure Behind The Scenes

2024-01-28T00:00:00+00:00

As a small bootstrapped company in the security testing space, you can imagine we’re up against some pretty big players. Incumbent PTaaS providers boast pools of hundreds of gig-workers or “crowd-sourced” hackers, while SaaS-based security tools claim to automate the pentest.

At GlitchSecure, we don’t fit into either of those molds, and we have no intention of doing so. But that may leave you wondering, what are we and how do we stack up against these providers? Let’s dive in…

Penetration Testing

It’s no secret that Penetration Testing is becoming increasingly commoditized. Crowd-sourced vendors have managed to win against incumbent consultancies through low-cost gig-work. However, this has created a large divide in quality and pricing within the industry.

When you go out to look for a human-powered penetration test these days, you really have two options:

A crowd-sourced “PTaaS” pentest: cheap but of variable quality due to the nature of gig-work.
A traditional penetration test: costly but often performed by highly experienced and well-paid consultants.

This new paradigm has created a gap in the market. Software companies that prioritize security beyond a mere compliance checkbox (SOC2 / ISO27001 etc.) want assurance that the work is done right. They want the hackers working on their pentest to be focused, with limited context switching, and to know that they have their backs. They also want this without spending tens of thousands of dollars.

We fill that gap in the market because we are small. Not having VC pressure to grow at all costs allows us to build up our team of highly skilled security professionals. This approach also lets us work closely with our customers to extend their team. And, we can even turn down projects that may not be a good fit for our unique skill set.

We’re also able to do that since human-driven penetration testing isn’t our primary focus as a company. While it may not be as scalable, the services aspect of our business is an important one as it helps us fund and shape the development of our platform and our continuous security testing offering.

Building a Platform

When I started writing the code for the GlitchSecure platform, I aimed to streamline my existing security consulting. My goal was to automate the collaboration and reporting process and give my customers a better experience than a one-and-done PDF. In reality, I could have used off-the-shelf commercial or open-source software like Plextrac or Dradis. However, I wanted something that fit my specific needs.

After only a few short months of writing code in 2022, I had an MVP and was able to work with my first customer to provide penetration testing through it. The experience from both sides was great, and the platform did a few things really well:

It allowed the customer to see findings as I found them.
It provided additional insight and consistency.
It saved me time by automating report delivery, which meant more time to hack.
It allowed real-time collaboration.

The MVP was a total success. The cost? Three months of my time and under $10k. I met my goals and learned new tricks in Laravel for a fraction of the price of the existing commercial PTaaS delivery platforms. I built something that could help me deliver my penetration testing services even better than before.

As I grew the team and our consulting practice, the platform proved invaluable for maintaining that level of quality and speed of delivery.

Exploring Automation

With a pentest delivery platform built and the team growing, we shifted our focus to exploring automated testing. While we strongly believe we are a long way from fully automated web application penetration testing —some companies are sinking tens of millions just to scratch the surface— we knew there were many tasks we could automate within the OWASP Application Security Verification Standard (ASVS). A wealth of automations already existed, including open-source projects like testssl, nuclei, and OWASP ZAP, as well as stand-alone commercial offerings.

While researching this, we learned more and more from customers about what they were doing and what they wanted. After extensive customer interviews, we found that most software companies who pay for security testing fell into one or both of the following categories:

They were performing regular (quarterly, annualy) human-driven penetration testing.
Their teams used vulnerability scanners or Dynamic Application Security Testing (DAST) tools in-house.

There is an inside joke within the security community around what my friend Travis calls “Pentest puppy mills”. The reality is, anyone can go out and buy a copy of a well-known vulnerability scanner, slap their logo on it, and call it a pentest. Some companies have even gone so far as to call that automated pentesting and build their entire platform on top of it.

At GlitchSecure, we approached this differently. We learned that while companies were spending money on these tools, they were often either underutilised or leaving teams overwhelemed with a mountain of noise. While a company can go out and deploy a commercial DAST tool, the reality is that doing so requires a large amount of resources to both deploy and get value out of it. With this knowledge on hand, we started building out our Continuous Security Testing product.

Continuous Security Testing

We knew that there would be limits to what we could automate on our own. We also knew from customer interviews that companies were already paying for and underutilising DAST tooling. We already had a platform to manage and deliver findings. So we started looking for ways to integrate the well-known tools, like Acunetix, Burp Enterprise, OWASP ZAP, Nuclei, and even Nessus. While evaluating these tools, we found that results can vary wildly from tool to tool, and environment to environment.

So why settle on one? By ingesting data from not just our own automation or a single tool, but as many as we could get our hands on, we started to see some really cool results and begin to infer things we couldn’t without all the data. From this, we were able to build our product offering to not only deliver more results than a single tool on its own but also better identify one-off false positives from real and exploitable vulnerabilities.

The Human Touch

Orchestrating a half a dozen automated security testing tools and ingesting the data is cool and all. However, sifting through dozens or even hundreds of results can be overwhelming. It’s hard to find the signal through the noise.

That’s where our team comes back in. While we could have just called it a day and started marketing this as a point-and-click SaaS, because we have less pressure, we decided to bring the human element back in.

Each and every result that our platform ingests from those tools is manually reviewed by our team. We take a 5-step approach when doing this:

1) Consolidate the results
- We take the large amount of data collected and consolidate it into a logical set of potential vulnerabilities.
2) Prove exploitablity
- We manually validate each potential vulnerability to demonstrate its impact and ensure its validity.
3) Provide tailored advice
- We don’t just copy and paste the information from the tools. Instead, we’ve built up a library of findings, PoCs, and remediation advice. We tailor them to each framework and environment’s unique attributes.
4) Validate remediation efforts
- Once a vulnerability is fixed, we work closely with development teams to test permutations of the issue and ensure it’s fully remediated.
5) Improve testing
- On each iteration, we look at the results, fine-tune our tools, and continue learning from the data.

This approach isn’t as scalable or profitable as simply spitting out the results. However, we believe it’s the only way to truly ensure quality findings.

Hackers At Heart

As a team of hackers, we’re passionate about security first and foremost. Bootstrapping has forced us to remain humble, work harder, and stay true to our roots as hackers. It compels us to go against the grain and find creative angles others may have missed, instead of relying on throwing money at problems.

And it’s working! We prioritize quality over quantity. We ensure highly skilled professionals are in the loop. We avoid chasing automations and profit at all costs.

As a result, we’ve been able to provided industry-leading security testing to our customers and continually identify high-impact vulnerabilities.

This article was written by humans for humans.

Interested in learning how we can help you identify and remediate vulnerabilities? Book a call with the founders of GlitchSecure.

The hidden cost of self-managed DAST

2024-01-06T00:00:00+00:00

In April of 2023 PortSwigger —the company that makes the popular security testing tool Burp— announced a new pricing model for their Enterprise scanning offering. This model, called “Pay as you scan,” lowers the financial barrier of entry by reducing the upfront cost of the software and, instead, charges based on a usage-based billing model that depends on the number of hours scanned. While the $1,999 price tag may seem appealing, there are a number of other factors to consider that contribute to the final price tag.

In this article we’ll explore how you can calculate the actual cost of setting up and using a product like this, both from the software pricing perspective, but also from the human and infrastructure resource perspective.

Throughout the article, we will use an example scenario involving a mid-sized startup looking to use Burp Enterprise to test two distinct web applications: an internal admin dashboard and their primary SaaS application, both with separate login credentials and subdomains.

Cost Per Hour Scanned

The key differentiator of Burp Enterprise’s new pay-as-you-scan pricing model is the reduced base cost of $1,999 and an additional charge of $9 USD per hour scanned. While this pricing may sound appealing, calculating the total number of hours a scan will take can be challenging without firsthand experience using the software.

At GlitchSecure, we utilise Burp Suite Pro and Burp Suite Enterprise alongside a suite of other Dynamic Application Security Testing (DAST) tools to help us identify vulnerabilities in our customer’s web applications and APIs. Based on the data we’ve collected, we typically observe that a Burp Enterprise scan configured with “Deep” coverage for both the crawl and audit can take anywhere from 4 hours to 48 hours, depending on the size of the application and the number of parallel scans. We’ve also seen poorly configured scans run for several days if gone unchecked.

With these numbers in mind, we’ll assume an average of 24 hours per application. Again, assuming two distinct web applications, a monthly scanning cadence, and our $9 per hour rate, that’s an additional $432 per month or $5184 per year.

24 hours * 2 web applications = 48 hours per month 48 hours * $9/hr = $432 per month $432 * 12 months = $5,184 $5,184 + $1,999 = $7,183 per year 

As we can see, while the $1,999 entry tag can seem appealing, the cost of a scan can quickly balloon. Incidentally, if we examine Burp Classic’s “concurrent scan” pricing model, we find that the pricing is similar, with a base price of $6,600 for 1 concurrent scan or $7,259 for 2 concurrent scans. Using these numbers for our example scenario, we will assume the lowest cost going forward.

Subtotal: $6,600 per year

Infrastructure Cost

As a DAST tool, Burp Enterprise is designed to be hosted on your own infrastructure. While the setup and installation of a single-machine deployment is relatively well-documented and straight forward, it does create a recurring infrastructure cost.

Looking to Burp Enterprises system requirement page we can see that a single-machine deployment with 1 concurrent scan recommends 8 CPU cores, 24 GB of RAM, 30 GB of free disk space, and 26 GB of SWAP space. Helpfully, the same page also directs us to the c6i.4xlarge AWS EC2 instance.

As of the date of this article, an c6i.4xlarge AWS EC2 instance is listed as $0.68/hr for on demand and $0.4498/hr for 1 year reserved. Assuming we go with a 1 year reserved pricing, that’s $323.85 per month, or $3,886.20 per year.

$0.4498/hr * 720 hours per month = $323.85 $323.85 per month * 12 = $3,886.20 per year 

While you could conceivably reduce this cost through something like a dedicated server rental, it’s likely this route would only increase the human cost due to increased management requirements.

Subtotal: $3,886 per year

Human Cost

The human cost is one that is extremely difficult to calculate. When you think about it, utilising a DAST tool requires a level of technical skill and understanding of security fundamentals typically found only within security professionals. While a typical developer may be able to install, manage, deploy, and configure the tool, a common trend we hear is that there is a lot of time and energy spent on iterating the results and identifying both what’s important and what’s simply a false positive.

Tools like Burp Enterprise are designed to be wielded by security professionals, with many findings simply being irrelevant to your average development team. Typical informational level findings, such as a published robots.txt file, Base64-encoded data in parameters, and external service interactions, provide useful insights that can help a security professional know where to look for potential vulnerabilities. However, they are not vulnerabilities on their own.

While there is a lot of nuance required here, for the purpose of this article and for providing a quick estimate, we’ll assume an average of 30 minutes per issue for review. Typically, we observe around 14 unique issues reported per app, with anywhere from 5 to 50 permutations of each. Ignoring potential rabbit holes a specific permutation might lead you down, that’s an average of 7 hours per app to triage and validate, or 14 hours for our example scenario. If we consider an average security consultant’s hourly rate of $200/hr, that’s $2,800 per month or $33,600 per year.

14 issues * 30 minutes = 7 hours 7 hours * 2 applications = 14 hours 14 hours * $200/hr = $2,800 per month $2,800 * 12 = $33,600 per year 

Even with these conservative triage and review times, we can see that once again the cost adds up quickly. While a smaller organisation may farm this out to a less experienced internal developer with a lower hourly wage, we’ve heard time and time again that this results in days or even weeks of time spent instead of hours.

Subtotal: $33,600 per year

The Total

As demonstrated, the cost of a single DAST tool is more than what might first appear. Totalling our numbers in our example scenario takes us from what appeared to be $1,999 per year to over $40,000 per year across several areas for just two targets and one DAST tool.

Cost Source	Amount
Software	$6,600/yr
Infrastructure	$3,886/yr
People	$33,600/yr
Total	$44,086/yr

Another Way

While we believe tools like Burp Enterprise are a critical piece of the puzzle when it comes to identifying vulnerabilities in web applications and APIs, they can be costly for non-security teams to run and maintain. This may sound like a shameless plug, but it precisely addresses the gap in the market we fill. Our continuous security testing solution can not only decrease the total spending on dynamic application security testing for teams without dedicated offensive security staff, but it also brings additional tooling to the table and enhances the security expertise within your team by putting hackers on your side.

We make it easy for you to implement regular security testing by doing it all for you. By combining the best DAST tools on the market (and not just Burp), our team of security experts, and a single pane of glass dashboard, we’re able to deliver you better results and identify vulnerabilities others miss. We ensure each tool is configured and tailored for your unique environment, act as the human element to filter out false positives, explore additional attack vectors, and help you prioritise what’s important.

We hope this article will be a helpful resource as you look to implement security testing within your organisation. If you’re interested in learning more about what we do, would like some help determining the best solution, or just want to chat, our calendar is always open.

GlitchSecure at StartupTNT Top 5

2023-11-09T00:00:00+00:00

Hot off the heels of the Top 20 pitch night last month, we’re excited to announce that GlitchSecure has been selected as one of five finalists for the Startup TNT Investment Summit VIII Top 5 in Manitoba.

GlitchSecure is joined by the following 4 other exciting Manitoba based tech startups raising fundraising and building innovative technology.

CogNet Inc
- CogNet is a health tech startup specializing in machine-learning powered dementia testing. Founded by Dr. Calvin Howard, a clinician-scientist currently based out of Harvard Medical School, we aim to revolutionize dementia diagnostics in Canada. Our solutions enable physicians to efficiently diagnose and monitor dementia, alleviating the current healthcare burden. With a validated screening exam and an under-development administrative platform, we offer a timely and accurate diagnostic process, targeting both urban and rural physicians.
FeedFlo
- FeedFlo is helping to create the barn of the future and a better food system by providing the animal agriculture industry with real-time, high-precision data on the feed flowing through barns. Our patented IoT feed sensor and predictive software enable livestock producers to reduce feed costs, increase operational efficiency, and improve animal health.
FleetOperate Inc.
- FleetOperate is a Technology Trucking Platform designed to assist owner-operators and small to medium-sized trucking companies in launching and expanding their trucking enterprises.
TetraGen Robotics
- TetraGen Robotics brings robotic automation to small and medium-sized manufacturers with high-mix operations. Their robotic software, powered by machine vision and AI, enables industrial robots to automatically adapt to new parts and processes with minimal programming by end-users.

We look forward to offering investors a chance at our next round of fundraising and hope you’ll be able to join us either in-person or remotely on 16 November 2023. Doors will be opening at 5PM CT with the pitches starting at 6PM CT.

Event details and registration can be found here: https://www.eventbrite.ca/e/startup-tnt-investment-summit-viii-finale-tickets-696181947947

SaaS Security Basics on a Shoestring Budget

2023-11-04T00:00:00+00:00

Introduction

This blog post is meant to accompany a talk titled “SaaS Security Basics on a Shoestring Budget.”

The talk shares my perspective as a recent founder who has spent a lot of the last year helping other founders with their security. Over that time I’ve come to realise that there is a lot of mystery and basic knowledge gap when it comes to keeping your product and infrastructure secure that the average technical founder or small team simply doesn’t have a grasp on.

Authentication

Password Managers

Info	Advice

A password manager is a software tool that helps individuals and organizations securely store and manage their passwords. It acts as a vault for storing passwords and generates strong, unique passwords for each account. Some benefits of using a password manager include:

Enhanced security: Password managers help create strong, unique passwords for every account, reducing the risk of password reuse and making it harder for attackers to guess or crack passwords.
Simplified password management: With a password manager, users don’t need to remember multiple complex passwords. They can securely store and auto-fill passwords across different devices and platforms.

Actionable steps:

Choose a reputable password manager: Research and select a password manager that fits your needs and has a good track record for security.
Set a strong master password: Your master password is the key to access all your stored passwords, so it should be unique, long, and complex.
Enable multi-factor authentication: Add an extra layer of security by enabling multi-factor authentication (MFA) for your password manager.

Links:

Bitwarden Password Manager

MFA

MFA stands for Multi-Factor Authentication, a security measure that adds an extra layer of protection to the authentication process by requiring users to provide multiple forms of verification to access a system or an account. MFA helps prevent unauthorized access and strengthens the security of sensitive information.

Benefits of MFA:

Increases security: By requiring multiple factors of authentication, MFA significantly reduces the risk of unauthorized access to accounts or systems.
Mitigates password-related risks: MFA reduces the reliance on passwords alone, which are often weak or easily compromised, making it difficult for attackers to gain access.

Actionable Steps:

Enable MFA: Activate multi-factor authentication on all critical accounts and systems that offer this feature.
Use different factors: Utilize a combination of factors such as hardware tokens and or one-time passwords for enhanced security.
Keep backups: Ensuring offline or other forms of backups are made when only utilizing a single MFA favtor.

Links: -Multi-Factor Authentication Cheat Sheet

Leaked Passwords

Breached or leaked password monitoring is a process that allows individuals and organizations to check if their passwords have been exposed or compromised in data breaches. This can help increase the security of online accounts and systems by identifying weak or compromised passwords.

Benefits:

Enhanced security: Breached password checking helps identify if passwords have been compromised, allowing users to take appropriate action to protect their accounts.
Proactive approach: Checking for breached passwords allows individuals and organizations to be proactive in their security measures, reducing the risk of unauthorized access.

Actionable steps:

Use reputable breached password checking tools, such as Have I Been Pwned or Firefox Monitor, to check if your passwords have been compromised.
Prevent users with known breached password from reusing them, educate users on the importance of password managers.

Links:

Email Security

Info	Advice

SPF

SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing and phishing attacks. It allows email recipients to check if the sender is authorized to send emails on behalf of the claimed domain.

Benefits of SPF:

Protection against email spoofing and sender address forgery
Helps improve email deliverability

Actionable steps:

Add SPF records to your DNS configuration, specifying the authorized mail servers for your domain
Regularly monitor SPF failures and investigate any unauthorized sources of email using your domain

Links:

How to Set Up Sender Policy Framework (SPF)

DKIM

DomainKeys Identified Mail (DKIM) is an email authentication method that allows the recipient of an email to verify that it came from the domain it claims to be from and that it hasn’t been modified during transit.

Benefits of DKIM:

Protection against email spoofing and sender address forgery
Enhances email deliverability

Actionable steps for implementing DKIM:

Generate a public-private key pair for your domain.
Publish the public key in your domain’s DNS records.
Configure your email server to sign outgoing messages with the private key.

Links:

How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is another email authentication protocol that helps protect against email spoofing and phishing attacks. It allows organizations to specify how their emails should be handled when received by the recipients server and can help provide better visibility and control over email authentication in order to safeguard your domain from unauthorized use.

Benefits of DMARC:

Further reduces the risk of email spoofing and phishing attacks by authenticating emails sent from a specific domain.
Provides visibility into email fraud attempts and receiving reports on email deliverability.

Actionable steps to implement DMARC:

Begin by publishing a DMARC record in your organization’s DNS settings.
Gradually configure the DMARC policy to specify how to handle emails that fail authentication, such as quarantine or reject.
Regularly review DMARC reports to ensure proper email authentication and address any potential issues.

Links:

Free weekly email to help monitor & implement DMARC

Limiting attack surface

Info	Advice

Identifying subdomains

Subdomain enumeration is the process of discovering and mapping out all the subdomains associated with a particular domain. By doing so, organizations can effectively limit their attack surface by identifying and securing these potentially vulnerable entry points into their network.

Benefits:

Improved visibility: Identifying subdomains allows organizations to have a comprehensive understanding of all the domains associated with their network, enabling better visibility into potential attack vectors.
Better security posture: By identifying and securing these subdomains, organizations can effectively reduce their attack surface and minimize the chances of unauthorized access or compromise.

Actionable steps:

Conduct a comprehensive DNS scan: Use tools like DNS enumeration or subdomain scanning to identify all the subdomains associated with a specific domain.
Assess and prioritize risks: Once the subdomains are identified, prioritize them based on their potential impact and vulnerability. Focus on securing high-risk subdomains first.
Regularly review and update subdomains: As new subdomains may be added or existing ones removed, it is crucial to continually review and update the list of identified subdomains to maintain an

Links:

Subfinder

Port Scanning

Port scanning is a technique used by attackers to identify open ports on a target system. By scanning different ports, attackers can gather information about potential vulnerabilities in a network or system.

Benefits:

Identify open ports and potential vulnerabilities
Evaluate network or system security

Actionable Steps:

Regularly conduct port scans to identify any open ports that could be used as an entry point for attackers
Implement port filtering or firewall rules to restrict access to only necessary ports and services

Links:

nmap
naabu

Web Application Firewalls

A web application firewall (WAF) is a security tool designed to protect web applications from various attacks, including SQL injection, cross-site scripting (XSS), and other vulnerabilities. It acts as a shield between the web application and the internet, monitoring and filtering incoming traffic to identify and block malicious requests.

Benefits:

Enhanced security: WAFs provide an additional layer of protection to web applications, preventing common attacks and vulnerabilities.
Improved performance: By filtering out malicious traffic before it reaches the application, WAFs can help optimize performance and reduce the load on the server.

Actionable steps:

Evaluate and choose a WAF solution: Research and select a reputable web application firewall provider that suits your requirements.
Configure the WAF rules: Customize the firewall rules according to the specific needs of your web application, considering potential threats and vulnerabilities.
Regularly update and monitor the WAF: Keep the WAF up to date with the latest security patches and continuously monitor alerts and logs for any signs of suspicious activity.
Setup Cloudflare Access / Zero Trust for admin panels and non public tools

Links:

Cloudflare Access

Source Code Security

Info	Advice

Branch protections

Branch protections on services such as Github and Gitlab allow repository administrators to enforce certain rules and restrictions on specific branches within a repository. These protections help maintain the integrity and security of the codebase, as well as facilitate collaboration among developers.

Benefits:

Prevent accidental changes: Branch protections can prevent force pushes, which helps safeguard against accidental data loss or overwriting of code.
Enforce code quality: By requiring certain checks, such as passing tests or successful code review, branch protections ensure that only verified and high-quality code is merged into protected branches.

Actionable steps:

Define required status checks: Specify the checks that need to pass before merging into the protected branch, such as code reviews or successful tests and linting, to enforce code quality.
Set up branch protection rules: Configure other restrictions like preventing force pushes, requiring certain reviewers, or requiring signed commits to maintain code integrity and enforce security protocols.

Links:

Managing a branch protection rule

Commit signing

Commit signing refers to the process of adding a digital signature to software code commits in order to ensure their integrity and authenticity. It involves using cryptographic techniques to generate a unique signature that can be verified to prove that the commit has not been tampered with and was made by a trusted source.

Benefits:

Integrity verification: Commit signing ensures that the code commits have not been modified or manipulated during the development process.
Authentication: It provides assurance that the commit was made by a trusted individual or organization.

Actionable steps:

Generate keys: Create a pair of PGP keys (private and public) to be used for signing commits.
Sign commits: Use the private key to generate a unique signature for each commit, and add it to the commit message or metadata.
Github: Commit signature verification

Dependencies

DDependency monitoring with tools like Snyk and Dependabot refers to the practice of continuously monitoring the dependencies used in an application or software project for any known security vulnerabilities or other issues, and taking proactive measures to address them.

Benefits:

Early detection of vulnerabilities: Dependency monitoring helps to identify and address vulnerabilities in the dependencies before they can be exploited by attackers.
Saves time and effort: These tools automate the process of checking for vulnerabilities, saving the developers’ time and effort in manually reviewing dependencies.

Actionable steps:

Set up dependency monitoring tools: Install and configure tools like Snyk or Dependabot to automatically scan and monitor the dependencies in your project.
Regularly update dependencies: Keep your dependencies up to date by regularly checking for and applying updates that include security patches and fixes.
Address vulnerabilities: When a vulnerability is identified, take prompt action by updating or replacing the affected dependency with a secure version to mitigate the risk.

Links:

SAST

SAST stands for Static Application Security Testing. It is a type of security testing that involves analyzing the source code of an application to identify vulnerabilities and potential security weaknesses.

Benefits of SAST:

Early detection of vulnerabilities: SAST helps in identifying security flaws in the source code during the development phase, allowing for timely remediation before the application is deployed.
Automates security testing: SAST tools can automatically scan and analyze the source code, reducing the manual effort required for security testing.

Actionable steps for implementing SAST:

Select a suitable SAST tool: Research and choose a SAST tool that can analyze the programming languages and frameworks used in the application.
Configure and scan the source code: Configure the SAST tool to scan the source code of the application for potential vulnerabilities.
Analyze the results: Review the SAST scan results to identify security vulnerabilities and prioritize them for remediation.

Links:

Logging & Error Monitoring

Logging and error monitoring is the process of collecting and analyzing logs and error messages generated by various systems, applications, and devices to identify and rectify any issues or anomalies that may indicate potential security threats or system vulnerabilities.

Benefits:

Early detection of security incidents or breaches
Proactive identification and resolution of system errors and bugs to minimize downtime and improve stability

Actionable steps:

Implement a centralized logging system to aggregate logs from various sources.
Configure automated notifications for critical errors or security-related events.
Regularly review logs and error messages to spot any unusual activities or patterns.

Links:

Application Security

Info	Advice

HSTS

HSTS stands for HTTP Strict Transport Security. It is a security feature that helps protect websites against certain types of attacks, such as SSL stripping and man-in-the-middle attacks. When a website has HSTS enabled, it tells the user’s browser to only access the website over a secure HTTPS connection, even if the user types in “http://” in the address bar.

Benefits of HSTS:

Protects against SSL stripping attacks and man-in-the-middle attacks
Helps ensure that website communication is always encrypted and secure

Actionable steps to enable HSTS:

Configure your web server or web application to send the “Strict-Transport-Security” header with a specified max-age value greater than 6 months.
Ensure that your web server supports HTTPS and has a valid SSL/TLS origin certificate installed.

Links:

Cookies

Cookie attributes such as Secure, HttpOnly, Path, Domain, and expiry are important features in web security to protect user information and prevent unauthorized access to cookies.

Benefits:

Secure attribute ensures that cookies are only transmitted over secure HTTPS connections, protecting the information from interception.
HttpOnly attribute prevents client-side scripts from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks.

Actionable Steps:

Set the Secure attribute on cookies to ensure they are only transmitted over HTTPS connections.
Add the HttpOnly attribute to cookies to prevent client-side scripts from accessing them.
Use the Path attribute to restrict the cookie to specific paths on your website, further enhancing security.
Use the Domain attribute to limit the cookie to a specific subdomain or set of domains, preventing unauthorized access.
Set an appropriate expiry time for cookies to control their lifespan and minimize the risk of data exposure.

Links:

OWASP Session Management Cheat Sheet - Cookies

Session Management

Session management refers to the process of maintaining and tracking the various sessions or interactions between a user and a system or website. It involves creating, maintaining, and terminating sessions to ensure secure and seamless user experience.

Benefits of session management:

Enhanced security: Session management helps prevent unauthorized access by implementing measures like session timeouts, session tokens, and secure cookie management.
Improved user experience: It allows users to have uninterrupted interactions with the system or website, with features like session resumption and session recovery.

Actionable steps for session management:

Implement session timeouts: Configure the system to automatically terminate sessions after a predetermined period of inactivity to reduce the risk of unauthorized access.
Use secure session tokens: Generate and assign unique session tokens to each user to prevent session hijacking and ensure secure communication between the user and the system.
Encrypt session data: Protect sensitive session information by encrypting it both in transit and at rest, using strong encryption algorithms and secure protocols.
Monitor and log session activities: Keep track of session events, such as login and log out attempts, session creations, and terminations, to detect any suspicious or unauthorized activities.
Provide users with notice and control: Ensure users are notified of new sessions that from differing IPs and user agents, provide them with the ability to terminate other sessions.

Links:

OWASP Session Management Cheat Sheet - Implementation

Rate Limiting

Rate Limiting is a technique used to control and limit the number of requests or actions made to a system or network within a certain time frame. It is employed to prevent abuse, protect against DDoS attacks, and ensure fair usage of resources.

Benefits of Rate Limiting:

Prevents attacks on third party system resources such as email generation.
Reduces impact of bruteforcing and information disclosure issues.
Prevents denial of service through resource consumption.

Actionable steps for implementing Rate Limiting:

Set sensible limits: Determine the appropriate maximum number of requests that can be made within a given time frame for each user or application.
Implement rate limiting mechanisms: Utilize technologies like web application firewalls, framework specific limits, load balancers, or API gateways that enable rate limiting and configure them to enforce the desired limits. Utilize these in conjunction with one another.

Links:

OWASP Denial of Service Cheat Sheet - Rate limiting

IDOR

IDOR stands for Insecure Direct Object Reference, which refers to a vulnerability in web applications where an attacker can access unauthorized resources or perform unauthorized actions by manipulating direct object references. This vulnerability arises when an application does not properly enforce access controls on the direct object references it exposes.

Benefits:

Improved data protection: By addressing IDOR vulnerabilities, sensitive data and resources can be better protected from unauthorized access and exploitation.
Enhanced user trust: Fixing IDOR vulnerabilities demonstrates a commitment to security, helping to build trust with users and customers.

Actionable Steps:

Implement appropriate access controls: Ensure that access controls are implemented and enforced properly throughout the application to prevent unauthorized access to resources.
Use indirect references: Avoid directly referencing sensitive resources or data in URLs or other client-side parameters. Instead, use indirect references that are harder to guess or tamper with.

Links:

OWASP Insecure Direct Object Reference Prevention Cheat Sheet

Injection Flaws

Injection flaws, such as SQLi (SQL Injection), XSS (Cross-Site Scripting), and SSRF (Server-Side Request Forgery), are vulnerabilities that allow an attacker to manipulate input data to execute arbitrary commands or inject malicious code into an application’s database, client-side scripts, or server-side requests. These flaws can lead to unauthorized access, data breaches, and compromise of sensitive information.

Benefits of addressing injection flaws:

Enhanced security posture: Mitigating injection flaws helps protect against various attacks, preventing unauthorized access and potential data breaches.
Secure application development: By addressing injection flaws, organizations can follow secure coding practices and ensure the security of their applications.

Actionable steps to address injection flaws:

Implement input validation: Validate all user input to ensure it adheres to the expected format and meets predefined criteria, such as type, length, and character restrictions.
Employ parameterized queries and prepared statements: Use parameterized queries or prepared statements in database access to separate SQL code from user input, preventing SQLi attacks.
Implement output encoding and validation: Properly escape or sanitize user-generated content before rendering it on the client-side to prevent XSS attacks.
Restrict server-side requests: Validate and sanitize all external requests made by the

Links:

OWASP Injection Prevention Cheat Sheet

Security Testing

Info	Advice

Vulnerability Scanning

Vulnerability scanning is the process of identifying and analyzing vulnerabilities in computer systems, networks, and software applications. It is a proactive approach to identify potential weaknesses that can be exploited by attackers. Vulnerability scans typically rely on fingerprinting in order to determine if a vulnerability may reasonability exist.

Benefits:

Helps identify potential publicly known vulnerabilities before they can be exploited by attackers

Actionable steps:

Conduct regular vulnerability scans using automated scanning tools
Establish a process to track and prioritize vulnerabilities based on their criticality
Implement appropriate patches or remediation measures for identified vulnerabilities

Links:

DAST

Dynamic Application Security Testing (DAST) is a security testing methodology that assesses the security of web applications by sending requests and analyzing the responses in real-time. It helps identify vulnerabilities in the application code, configurations, and server-side components from the perspective of an external attacker.

Benefits of DAST:

Identifies security vulnerabilities in real-time during the application’s runtime.
Provides an accurate representation of how the application behaves in a live environment.

Actionable steps for DAST:

Use a DAST tool to scan the web application and identify potential vulnerabilities.
Analyze the scan results to prioritize and address the identified security issues.
Regularly perform DAST scans to ensure ongoing security of the application.

Links:

Penetration Testing

Penetration testing, is a security assessment technique that involves simulating real-world attacks to identify vulnerabilities in a system or network. It is performed by trained professionals who attempt to exploit weaknesses and gain unauthorized access, giving organizations an opportunity to identify and resolve security issues before malicious hackers can exploit them.

Benefits:

Identifies vulnerabilities in systems and networks that could be exploited by malicious actors.
Helps organizations understand their security weaknesses and prioritize remediation efforts.

Actionable steps:

Define the scope and objectives of the penetration test.
Conduct a thorough reconnaissance to gather information about the target.
Identify and exploit vulnerabilities to gain unauthorized access.
Document and report findings, including recommended remediation steps.
OWASP ASVS
OWASP Testing Guide
GlitchSecure Real-time Penetration Testing

Vulnerability Reports

Info	Advice

Vulnerability Disclosure Policies

Vulnerability disclosure policy refers to a documented set of guidelines and procedures for reporting security vulnerabilities in software or systems to the organization responsible for maintaining them. It defines how individuals can responsibly disclose vulnerabilities they have discovered and how the organization will respond to and remediate those vulnerabilities.

Benefits:

Encourages responsible reporting: A vulnerability disclosure policy provides clear instructions for individuals to report vulnerabilities they have discovered rather than exploiting them or sharing them publicly.
Improves security: By establishing a clear process for reporting vulnerabilities, organizations can receive timely and accurate information that helps them identify and fix security flaws before they are exploited by attackers.

Actionable steps:

Create a clear and comprehensive policy: Develop a vulnerability disclosure policy that outlines what vulnerabilities can be reported, how to report them, and how the organization will handle and respond to the reports.
Establish a reporting channel: Provide a secure and easy-to-use mechanism for individuals to report vulnerabilities, such as a dedicated email address or an online form. Make sure to clearly communicate this reporting channel to potential reporters.
Acknowledge and respond to reports: Ensure that you have a system in place to acknowledge receipt of vulnerability reports and provide regular updates on the progress of remediation efforts.
Patch and disclose: Once a vulnerability has been reported and fixed,

Links:

Disclose.io

Bug bounty

Bug bounty programs are initiatives offered by organizations to incentivize cybersecurity researchers to find and report vulnerabilities in their systems and software. These programs can be highly beneficial for companies, as they allow them to identify and fix vulnerabilities before they are exploited by malicious hackers. Additionally, bug bounty programs can help organizations improve their overall security posture and gain public trust. For researchers, bug bounty programs provide an opportunity to earn rewards for their skills and expertise.

Benefits:

Early identification and mitigation of vulnerabilities
Cost-effective compared to hiring full-time security experts

Actionable steps for organizations:

Define clear goals and scope for the bug bounty program.
Set up a process to triage and validate bug reports promptly.

Actionable steps for researchers:

Familiarize yourself with the organization’s guidelines for testing and reporting vulnerabilities.
Thoroughly document and provide clear evidence of any vulnerabilities you find.

Links:

OpenCage: Running a security bounty program as a bootstrapped business: lessons learned

GlitchSecure at StartupTNT Top 20

2023-10-03T00:00:00+00:00

We’re excited to announce that GlitchSecure has been selected to pitch at the Startup TNT Investment Summit VIII Top 20 Pitch Night in Manitoba.

Startup TNT helps early stage tech companies across the Canadian Prairies connect with angel investors and raise capital.

As a small start up headquartered in Manitoba, we don’t have the same opportunities has those on the coast. Getting accepted into the event is our chance to get noticed. While funds like TinySeed exist to help companies get off the ground, there’s little out there for follow-up outside of the typical SF venture track.

While we’re at a stage in our companies growth where we don’t need additional funding —we’re lean and growing steadily— there is no doubt the pre-seed funds we raised from TinySeed made a massive impact on the trajectory of our company, saving us years.

We look forward to offering potential investors an opportunity to jump on our train before it’s gone and hope you’ll be able to join us either in-person or remotely on 12 October 2023. Doors will be opening at 5PM CT with the pitches starting at 6PM.

Event details and registration can be found here: https://www.eventbrite.ca/e/top-20-pitch-night-startup-tnt-investment-summit-viii-tickets-699049394557

Joining the Catalyst Cyber Accelerator

2023-09-18T00:00:00+00:00

I’m excited to announce that GlitchSecure was accepted into Cohort 9 of the Rogers Cybersecure Catalyst Accelerator!

The intensive three-and-a-half-month accelerator will provide our team workshops from industry-leading experts, access to 1:1 mentorship support from leading companies & entrepreneurs, as well as access to a growing network of cybersecurity investors.

What is the Rogers Cybersecure Catalyst Accelerator?

The Catalyst Cyber Accelerator is the Canada’s first and foremost cybersecurity-focused business accelerator, designed to help early-stage cybersecurity companies grow into industry leaders.

Cohort 9

GlitchSecure joins this 9th cohort alongside 6 other emerging Canadian cybersecurity start-ups.

As an aside I just wanted to put out a special thanks to Leigh Honeywell of Tall Poppy for making the introduction and for all the support and mentorship since I started down this journey.

GlitchSecure raises pre-seed funding

2023-03-30T00:00:00+00:00

This post was orginally published on EIN Presswire

SaaS firm joins TinySeed to accelerate its security platform that provides vulnerability assessments and remediation guidance for businesses of all sizes

WINNIPEG, CANADA, March 30, 2023 – GlitchSecure, a company that offers businesses real-time, continuous security testing, announced today that it raised initial pre-seed funding from the TinySeed accelerator program.

The funding and TinySeed’s collaborative network will help GlitchSecure in its mission to help secure more online businesses and lower the barrier to entry for high-quality security testing.

“Joining TinySeed gives us access to mentorship, advice, and community among a growing list of successful software companies,” said Jade Null, founder of GlitchSecure. “The demand for security testing is continually increasing as companies continue to expand their digital presence. By standardizing and automating security testing, GlitchSecure is able to help secure far more businesses than a traditional security consultancy might.”

Traditionally, companies rely on annual point-in-time “pentests,” or penetration tests, to identify security vulnerabilities in their applications, APIs, and networks. That method, however, can allow for more vulnerabilities and costly problems.

GlitchSecure instead uses a continuous testing approach that combines expert-driven pentesting with year-round vulnerability assessments and remediation advice.

Using GlitchSecure’s approach can save companies thousands of dollars on their annual pentests as well as mitigate the potential of fines and reputational damage from security breaches. The platform uses a hybrid approach that combines testing processes built by expert hackers, a real-time reporting dashboard, expert advice, and automated security testing.

With GlitchSecure, organizations can also view technical details, triage reports, schedule remediation testing, and integrated security automation into their secure development lifecycle.

“GlitchSecure is addressing a critical need by providing continuous security testing that helps businesses stay ahead of evolving threats,” said Rob Walling, General Partner at TinySeed. “We’re excited to see their platform help businesses navigate the complexities of software and online security.”

Null launched GlitchSecure after they developed a passion for securing the web and was limited within the framework of traditional security consultancies. GlitchSecure helps more companies access world-class security tools that can thwart costly hacking incidents.

“With our approach, we’ll be able to help lower the barrier to entry for high-quality security testing and ultimately make the web a safer place,” Null said. “By using the same tools and techniques as malicious hackers, we can help identify and remediate security issues before they are exploited.”

About GlitchSecure: Founded in 2022 by Jade Null, GlitchSecure provides real-time, continuous security testing to help organizations identify and remediate vulnerabilities in their applications, APIs, and networks.

About TinySeed: TinySeed is an early-stage investment fund and remote accelerator program that has invested in more than 90 fast-growing, B2B SaaS companies. Jade Null GlitchSecure +1 647-370-1337 [email protected]