As of the time of this writing, we’ve developed three products along with multiple open source projects.
A core part of our business strategy is to make all of our software accessible to organizations of all sizes, even startups. This means we commit to having a pricing model that smaller shops can afford while charging an appropriate amount to the larger enterprises. This also means not charging an SSO-tax, and other counter-intuitive pricing strategies.
Our flagship product is PhishTACO, a phishing simulation platform.
Email phishing is one of the most commonly exploited attack surfaces for organizations. There are a few players in the space that try to help organizations conduct ‘safe’ internal email phishing campaigns to gauge their level of human-risk and then provide retraining for people who are found to be susceptible to phishing attacks.
Our core value proposition isn’t novel, we just try to do it better and at a better price. Better for our target audience means a simpler interface, built, managed, and controlled by US persons. Within the US Federal Government there are limited vetted providers of this type of service, and we see this as an opportunity to fill a void in the market.
This product was a happy accident. While working on imgPress’s compliance, we realized that a key requirement for FedRAMP (among other compliance bodies) is to keep track of vulnerabilities in dependencies. We are required to track when a vulnerability is discovered and when it has been addressed. This data, in aggregate, is what an auditor would ask for during an audit. This activity, we figured, could be automated. With JavaScript we could use the built-in audit mechanism of npm to find vulnerabilities and with GitHub issues we could have a ‘database’ of open/close activity.
This morphed into a product that will now run npm audit on your repository on every new commit and every 12 hours. When data is returned, meaning there are vulnerabilities, it will open up descriptive GitHub issues for each vulnerability. When those dependencies are updated/fixed then the issues are automatically closed. The GitHub API provides data for when an issue was opened and closed which is what will ultimately facilitate the development of audit-ready reports.
Managing golden-images for virtual machines in AWS is very difficult to do in a way that is scalable. With imgPress we aim to simplify this for enterprise organizations. A detailed write-up can be found in this repo. What might not be immediately obvious is how this plays into security.
When an organization relies on virtual machines (i.e, servers) to run its business it will use virtual machine images, whether they realize it or not. In instances where an organization must be as secure as possible (think banks, hospitals, etc) they inevitably end up developing standards around the images from which their virtual machine infrastructure is deployed. These are commonly referred to as golden-images. Typically, these golden-images will be preconfigured with security standards an organization has prescribed to all of its workloads. These standards can be derivatives of the DISA STIG or CIS Benchmarks, or they might even be custom.
Golden images don’t necessarily have to be leveraged to improve security, they could be used for something as simple as having a VM that is preconfigured with MySQL or whatever technologies you desire irrespective of any security considerations.
imgPress does not “care” the purpose behind why an end user needs to manage golden images at scale, it simply facilitates that capability. It is our assumption and hope that most imgPress users will take advantage of the simplicity in order to maintain better security through consistent and standardized virtual machine images on public cloud providers.