Tinfoil Security

They make website security regular, affordable, and easy. They crawl your site, a bit like Google, but instead of looking for text and HTML they look for common vulnerabilities in your website. They act as external hackers, picking through each access point on your website, trying to get in. If they are successful, they record where and how they did it, then report back to you! Their custom scanner combines the best (hand-picked, and hand stitched together) pieces of popular open source tools, along with other, custom tools built in-house (their "secret sauce") to provide you with the best results. They provide precise vulnerability information, including specific input requests and vulnerability locations. Once you understand what you're dealing with they will provide you with vulnerability fixes tailored toward your specific software stack.



about the company

Founders

Before Tinfoil, Borski was doing offensive software security in the DC area. He studied Computer Science at MIt

Ainsley is the Co-founder and CEO of Tinfoil Security. Having graduated with a double-degree from MIT she has previously done UI/UX design for the Army while doing security and defense consulting at Booz Allen Hamilton. Her research at MIT has caused her to look at the world from a visual perspective, trying to understand how people look at things best. She is Tinfoil’s UX gal and loves understanding the way people think, act, view the world, and purchase security products.

Tinfoil Security in the press

Jan. 2, 2017

Trump says hackers can't be caught after a cyberattack -- here's why that's wrong

Photo: GettyEven though hackers responsible for the cyberattack on the Democratic Party and Hillary Clinton’s campaign weren’t caught in the act, it doesn’t mean they can’t be identified as President-elect Donald Trump has asserted. “It’s actually significantly harder to catch somebody in the act than it is to catch somebody after the fact,” Borohovski told Business Insider. Once they hack, if you don’t catch them in the act, you’re not going to catch them,” Trump said. In May, the Democratic National Committee hired security firm CrowdStrike after a cyberattack and were able to monitor hackers after they breached a network, USA Today reported. In December, officials who spoke to CNN said Russia’s cyberattacks targeting US political organisations have continued unabated, weeks after the election.

Jan. 1, 2017

Trump says hackers can't be caught after a cyberattack — here's why that's wrong

Even though hackers responsible for the cyberattack on the Democratic Party and Hillary Clinton's campaign weren't caught in the act, it doesn't mean they can't be identified as President-elect Donald Trump has asserted. “It’s actually significantly harder to catch somebody in the act than it is to catch somebody after the fact,” Borohovski told Business Insider. Once they hack, if you don't catch them in the act, you're not going to catch them," Trump said. In May, the Democratic National Committee hired security firm CrowdStrike after a cyberattack and were able to monitor hackers after they breached a network, USA Today reported. Despite the findings from intelligence officials, Trump has repeatedly dismissed the possibility of Russia influencing the election.

Dec. 18, 2016

Why Trump's assertion that hackers can't be caught after an attack is wrong

Even though hackers responsible for the cyberattack on the Democratic Party and Hillary Clinton’s campaign weren’t caught in the act, it doesn’t mean they can’t be identified as President-elect Donald Trump has asserted. “It’s actually significantly harder to catch somebody in the act than it is to catch somebody after the fact,” Borohovski told Business Insider. Once they hack, if you don’t catch them in the act, you’re not going to catch them,” Trump said. On Thursday, officials who spoke to CNN said Russia’s cyberattacks targeting US political organisations have continued unabated, weeks after the election. “Certainly if they attack a system or an email server, they would not have stopped there,” Borohovski said.

Dec. 17, 2016

Why Trump's assertion that hackers can't be caught after an attack is wrong

Even though hackers responsible for the cyberattack on the Democratic Party and Hillary Clinton's campaign weren't caught in the act, it doesn't mean they can't be identified as President-elect Donald Trump has asserted. “It’s actually significantly harder to catch somebody in the act than it is to catch somebody after the fact,” Borohovski told Business Insider. Once they hack, if you don't catch them in the act, you're not going to catch them," Trump said. "Certainly if they attack a system or an email server, they would not have stopped there," Borohovski said. Despite the findings from intelligence officials, Trump has repeatedly dismissed the possibility of Russia influencing the election.

Oct. 11, 2016

The US and Russia have quietly reached their biggest chill in relations since the Cold War

That was only the start of a long week — one that saw the two countries entering their lowest point in relations since the end of the Cold War. In an extraordinary moment in Sunday’s presidential debate, Trump said he “disagreed” with his running mate on Syria policy. “The Russia talks didn’t just fail, they failed immediately and completely, with brutal attacks against civilians,” he added. But cyber security experts are divided, too, over whether a more offensive posture would deter potential hackers — or if it would escalate the global cyber war even further. “Attackers only have to succeed once — defenders have to succeed every time.”Bremmer, of Eurasia Group, called the cyber attacks “an unacceptable sovereignty breach” that demanded US retaliation.

Oct. 8, 2016

The US just publicly accused Russia of hacking for the first time -- but fighting back could be a huge risk

“However, we are not now in a position to attribute this activity to the Russian Government,” the statement said. “Escalation is a real risk when you start engaging the attackers, instead of focusing on defence,” Glassberg said. Samuel Bucholtz, the co-founder of Casaba Security, largely agreed that engaging in a cyber war would disproportionately harm civilians. He noted that “cyber is a two-edged sword,” and is better for intelligence gathering than it is for actual warfare. Unlike traditional wars, according to Borohovski, “cyber battles” happen simultaneously across unlimited, constantly changing fronts.

June 8, 2016

Security blindspots: websites, network architects, and third-party code

Worrying about vulnerabilities from internal users or third-party code, however, is moot if security is not part of the network architecture. Thinking about security, then, must extend beyond the components of the enterprise website and extend out to testing third-party code. Borohovski said a lot of companies struggle with network security, web app security, and third party/open source security. "The entire dependency chain with third-party code can become a dangerous proposition and the dependency chains can become quite large," Weber said. Finding issues in both the first- and third-party code is not a singular act.

Feb. 27, 2016

Apple's Escalating Privacy Showdown

(Source: Bloomberg) 12:11 - David Bartosiak, strategist at Zacks.com, discusses the rally in the stock market and his options play for Amazon. Options Insight: Is Amazon Past Its Prime? He speaks with Bloomberg's Julie Hyman on "Bloomberg Markets."

July 9, 2015

Actually, those Chinese hackers put 20 million Americans at risk

The estimated 4 million US citizens whose information was seized by Chinese hackers in this past April's large-scale cyber attack could actually be closer to 20 million. Hackers targeted and seized the full name, birth date, home address and Social Security Number (SSN) of 4.2 million current and former federal government employees. However, reports are surfacing that the number affected by the hack on the US Office of Personnel Management (OPM) could even be closer to 25 million. "We'll be on the lookout for any word from the OPM in the coming days regarding an updated statement on the attacks. " At the time of writing, the estimated number of hacked non-applicants hasn't increased, but it very well could.

June 3, 2015

Microsoft's Azure App Service adds web vulnerability scanning from Tinfoil Security

Microsoft today announced that Azure App Service, its cloud service for building websites and mobile apps, now features web vulnerability scanning to ensure that apps are secure as developers build and update them. Interestingly, Tinfoil Security is available in the AWS Marketplace. The new feature, which is available today, comes courtesy of startup Tinfoil Security. “Microsoft Azure App Service chose Tinfoil Security because they are a trusted name in web application security and offer a strong set of services that will help our customers keep their web apps secure,” Microsoft Azure Websites software engineer Nazim Lala wrote in a blog post today on the news. It’s the latest addition to the Microsoft Azure public cloud, which has been steadily growing but remains in the shadow of public cloud market leader Amazon Web Services.

Feb. 19, 2014

500 Startups Demo Day: McClure’s Second Batch Of Startups, Unleashed

We’re in Mountain View at Dave McClure’s 500 Startups HQ where the second-ever 500 Startups Demo Day is about to start. McClure’s 500 Startups primarily invests in early stage startups that focus on the “Three Ds,” design, data and distribution. The incubator invests between $25K to $250K in its portfolio companies; startups that are part of the 500 Startups accelerator program get a $50K investment from the fund at a $1 million valuation and can stay in the 500 Startups offices for around four months. McClure tells me that 500 Startups is primarily looking for startups that have an easily understandable story. McClure tells me that the startups pitching at this Demo Day are unified by a strong international and female founder thread and “attitude” (which is why I cover 500 Startups I guess).

Oct. 7, 2012

5 cloud-native security companies to watch

Virtualization vendors like VMware have their own security offerings, and older security companies are starting to pivot their product positioning towards new kinds of cloud security issues. Tinfoil Security, also launching out of beta in September 2012, is one of the best cloud security examples of the consumerization of IT trend. Netflix is known for building a tool called SecurityMonkey to systematize application security testing and monitoring across its infrastructure. While these cloud-native security startups make headway, big companies are not standing still. Excitingly, there has not yet been a series of security company exits for companies that are truly native to the massive secular cloud and virtualization trends.

Sept. 26, 2012

Tinfoil Security Shows You Where Your Site Is Vulnerable

Braun tells us that Tinfoil Security plans to eventually expand into other forms of security that small and medium businesses need, including mobile, network, and automated social engineering. Launching with investments from Dave McClure, IDG Ventures, RTP Ventures and David Tisch, Tinfoil Security believes the security market is broken, and hopes to fix it with a service that is able to detect exactly where your site is most vulnerable. Today marks the public release of Tinfoil Security’s web application scanner, which not only highlights security issues, but also provides actionable results on how to fix them. Learn moreSecurity isn’t exactly the easiest nut to crack, especially for a young startup that is competing with services like Whitehat and McAfee Secure. Still, the founding team of MIT grads touts extensive security experience, and seems to be approaching the ever-growing problem of security with an affordable solution.

May 24, 2012

United Airlines reportedly spills passenger information

"This was something that I ran into completely organically, no shenanigans or security testing on my part (we need approval from a site's owner to run most security testing, and I'm not going to go out and violate wire fraud laws. Sedat suspects the glitch has something to do with that. United, which has acquired Continental Airlines, recently overhauled its system to include new flights and customers. When he logged out and logged back on, the errant information was gone. An engineer for a company that scans websites for security vulnerabilities recently got a new perspective on the dangers of Web application bugs.

Aug. 18, 2011

Comedy and Cash at 500 Startups' Demo Day

The 500 Startups Demo day was many things, and it provided a fascinating glimpse of the Silicon Valley culture of the moment. Term sheets would be signed, fortunes made and lost, but not today, now that Demo Day for Class 001 was over. After Day One of 500 Startups Demo Day, most of the checks had been written, the press had spilled its ink, and the spry entrepreneurs of Class 001 were able to breath a sigh of relief on Day 2. Demo Day may not have definitively answered the question of whether we’re in a startup bubble, but it came close. The singalong was powered by SINGBOARD, a web-based karaoke tool that is part of Class 001 of the 500 Startups Accelerator.

Aug. 16, 2011

The second batch of companies from 500 Startups' Demo Day

Hybrid incubator and seed fund 500 Startups hosted its second demo day in Mountain View today, where more than 30 companies in the program presented in front of investors and press. Here is a breakdown of the second batch of companies that presented today:ChirpMe: ChirpMe is a match-making site for blind dates. You can see the first batch of startups that presented at the firm’s Demo Day today here. WillCall: WillCall is a mobile application that delivers deals on live shows in a specific area. Snapette: Snapette is a mobile application that lets users browse new and nearby pieces of clothing for sale that are popular.