We are a team of cybersecurity professionals.
The Carve Story
Carve Systems LLC was founded in 2011 to bring enterprise level information security, training, and risk management services to organizations of any size and industry. Like most boutique security consulting shops, Carve has its roots in delivering high-end security consulting services to Fortune 500 organizations. Unlike most, Carve also complements its enterprise consulting offerings with services specifically tailored for mid-size companies.
We believe that true security is found in the continual process of evaluation and improvement required to match the dynamic technology, business, and threat landscape. We’ll advocate for security and challenge your thinking in a way that’s beneficial to your organization.
The Management Team
Jeremy Allen - CTO
Jeremy started writing code for MUDs (Multi User Dungeons) on a 66 Mhz 486 running Slackware Linux in 1995, he has never been the same since.
Jeremy is responsible for conducting risk assessments, threat modeling, code reviews, application security assessments, research, and reverse engineering. He has discovered numerous critical flaws and bugs. He helps organizations by understanding their key risks and building security into their organization (through people, processes, and the technology stack).
Mike Zusman - CEO
At 7 years old, Mike was hammering on the keys of a Ti-99 computer. By age 10, Mike was a licensed amateur radio operator and was building Intel x86 computers in his room at home. Now, a two-time Blackhat speaker with media mentions in publications such as Forbes.
Mike leads Carve Systems to help clients manage technology risk, and operate with appropriate levels of security assurance.
Max Sobell - COO
Max Sobell is a partner and COO at Carve Systems. Max runs Carve’s cybersecurity leadership and engineering practice, which helps companies manage technology risk without compromising business objectives. As a technical leader, Max has responsibly disclosed bugs in embedded internet devices, mobile payment systems, public transit, and Android smartphones. Max has presented technical work and vulnerabilities at industry conferences such as CanSecWest and ShmooCon.
Prior to joining Carve, Max held security and engineering roles at Intrepidus Group and financial technology firms.
Why choose us
Businesses often struggle with security teams acting in isolation from the rest of the company. Gaps in communication between the technical and business teams can lead to devastating vulnerabilities, breaches, delayed products, wasted resources, and a damaged reputation.
Organizing your business so that security is part of the inherent structure, instead of an afterthought, is a necessary change to make if you want to keep your products and employees protected.
At Carve, we know how to integrate our security experts within your business so that communication is streamlined between employees and nothing falls through the cracks.
Cultivation of security champions on engineering teams
Identification of critical security flaws before code is written
Ownership of high-risk issues from discovery through remediation
Tailored automation for continuous security improvements
Syncing of business and security goals to deliver products more quickly and securely
Asset management is a problem we help many of our customers with. What are an organization's assets, and how accurate and up-to-date is this information? Even with a mature asset management program, organizations want some form of validation of their result. From a...
One of the more common findings we report for Android security reviews is an issue involving hard coded secrets. This blog post will specifically focus on hard coded secrets used for encrypting application data. I'll try to use a bit of light threat modeling and risk...
When this Project Zero report came out I started thinking more about USB as an interesting attack surface for IoT devices. Many of these devices allow users to plug in a USB and then perform some actions with that USB automatically, and that automatic functionality...
When reverse engineering a binary application, at its lowest practical layer, the reverse engineer is looking at CPU-specific assembly language. In order to fully understand the application, the reverse engineer would need to understand those lower layers, instruction...
A few months ago, I was testing the email functionality on a company's contact us page, when I sent an email to myself containing: <script> alert("Hi, It's almost lunch time") </script> It actually was close to lunch time, so I wrapped up testing and waited for...
If you missed Brad's talk, sign up for his Webinar. You might not know it but right now thousands of athletes are training and competing in virtual worlds. I'm not talking about League of Legends or Fortnite. Those games aren't the only eSports in the world. There are...
In recent years it has become popular to use Content Delivery Networks (CDN) provided by cloud hosting providers. Amazon's CloudFront is an example of a popular CDN. These CDNs can take advantage of HTTP Caching to reduce latency for a global pool of end users. There...