For Design Review projects I provide timeboxed security feedback on a not-yet-built feature. My goal is to give your Engineering and Product team confidence when making design decisions early before a product or feature is shipped. Providing design feedback is a well-exercised muscle: I've authored and reviewed countless design documents in my career.
A design review would typically take place before building or shipping a significant feature. During a design review I'll work with Engineers and Product teams to understand what problem you are trying to solve and your constraints. I'll use that to inform a lightweight threat model, recommended risk-mitigating controls, or simplifying changes.
The specific deliverable here may vary on the project but overall my goal is to give you a clear sense of tradeoffs, recommended patterns for useful controls, and my recommended approach. A non-exhaustive list of design review projects I have done:
New AWS feature adoption
An Engineering team was considering adopting AWS Cognito to address a pressing customer need on a tight timeline. AWS Cognito was a new feature adopted within the company so there was no prior experience with operating it safely and, internally, adopting new AWS features needed security analysis. I provided configuration hardening guidance and security analysis to de-risk adoption of Cognito and enabled shipping the new feature in days instead of weeks.
Access management features
I've reviewed many designs around internal access management features including: time-limited access, management chain approval, and two-party approval features. These designs enabled the company to reduce human review from taking days to taking minutes while also retaining strong security properties.
Reliable security libraries
I advocated for changes to make core security libraries significantly less of a reliability risk. My alternative design shifted a failure-prone runtime logic into a check that happened once at service start. This change greatly reduced the operational complexity for the security library as the first design required a 99.999% reliability SLA and my design had a 99.9% reliability SLA.
I would also call out that I can not only review designs but write them and build a workable version.
If you have designs that would benefit from security expertise, contact me at hello@ on this domain for a free consultation.