TechNet Cyber 2019: Here we come!

Ready for another round of “Do Good With Your Data?” Join us at TechNet Cyber in Baltimore this weekend! In the vein of our community partner for the year, HSSV, we’ve deviated a bit to help the veterans folks at TechNet support.

We believe your data should be used for something good, and want to encourage you to think about what your data is worth.

To help us with our mission, Tinfoil Security has partnered with Freedom Service Dogs of America for Technet 2019. FSDA provides assistance dogs for veterans returning from Iraq and Afghanistan. Each dog provides support as veterans re-enter civilian life, including companionship for disabled veterans. For every badge we scan we will make a donation to FSDA. The more scans we get the more money goes toward this incredible foundation and the more of an impact we can make for those who gave so much to protect us. Help us help veterans. 

Freedom Service Dogs of America Logo

Additionally, we’re excited to announce that our founders have both won the AFCEA 40 under 40 award this year! We are humbled and honored to be selected. We have a booth at TechNet Cyber in Baltimore this year, and would love to chat. Feel free to stop by booth 2143 for a conversation and a tinfoil hat. 

Bodyguard Foilz

TechNet Cyber - a way to connect government and military leaders with industry leaders - gives us the opportunity to further educate business and government leaders about the necessity of a security-first mindset. We believe that the internet and its users need more security, and we strive to make that goal a reality, one company at a time. Even if just a few companies or government agencies see the advantages of securing web applications and APIs in their DevOps pipeline, then our mission at TechNet Cyber was a success.  

Most post-breach plans by IT leaders have a common flaw: the plans are reactive,  rather than proactive. Security should be the first thing you develop a mindset for. A good guide to start with is the SANS Top 5, which especially if a security team is a new addition to your organization. 

A large number of breaches are the direct result of something easily preventable. This is the most frustrating aspect of most breaches: something easily preventable causing damage to the consumers and the companies. Human error is too high for the demanding nature of today’s SDLC; that’s where automated tools come in. A solid security team augmented with a great web application and API scanner works to ensure that you are doing everything they can to be secure. 

We are excited to attend TechNet Cyber 2019. We’ll be at booth 2143, so make sure you stop by and have a conversation about how our web application and API scanners can help your company be secure and efficient. If nothing else, stop by the booth to see if you can do more push-ups than Derek. ;)


Nicholas Bates

Nicholas is The Writing Writer, or Tinfoil Security's new Technical Content Writer. He has a background in network security where he worked as an engineer for 7 years before joining the Tinfoil team. As a father of his 3-year-old daughter, when he is not writing you can find him hiking with his family, or practicing Jiu-Jitsu.


RSA Conference 2019: Questions, Comments, Concerns?

What Just Happened?!

A little over a month ago, the Tinfoil Security team was out in full force at RSA. We met and talked to over a thousand of you. We were ecstatic about these conversations as what we have been working on fell in line with what developers, CISO’s and security engineers see as relevant and essential. The fact that security continues coming to the forefront is good for everyone as a whole. The more security awareness that is out there, the more the expectation for security will rise. With that, the companies that have poor security practices will lose. Consumer information will be protected with better and improving security practices and processes.  

The Takeaways

There were a few things that we believe stuck out the most at the conference. First, GDPR: what is going on with it, how do we comply, and do we need to comply? These were a few of the questions floating around regarding GDPR. There has been a new sub-industry created by GDPR. At this year’s RSA, there were many consulting, auditing or assessment companies explicitly playing in the GDPR “field.” We gained some insight into GDPR as far as it applies to companies moving forward. In a general sense, that there is a lack of a clear plan or outline for compliance to GDPR. California has come up with its own new privacy law that has companies concerned and confused, as well. The sentiment that I gained from this is that there will be a rather large learning curve when it comes to tech companies and GDPR compliance.

The second theme was the adoption of the idea of Security of DevOps or a security-first mindset when developing applications. This idea was pushed further into the light by our very own CEO, Ainsley, with her talk at RSA (“Building Security Processes for Developers and DevOps Teams”) which highlighted how the world of technology and development has changed. Briefly, the pace at which we push code is impossible to keep up with security-wise using old processes, technologies, and teams. Tackling this monumental task means building a multidisciplinary team to handle security and development for your applications. Her talk also focused on how to bridge the communication gap between operations, security, and development, breaking down the walls that currently exist.

The last hot topic was IoT and securing IoT devices. Few companies know how to build secure internet connected devices. As the adoption of IoT devices is ramps up, consumers are left less secure and have a wider attack surface. For the time being, consumers should consider being skeptical of IoT devices and take into consideration the increased level of vulnerability they are opening themselves up to. There should be a few fundamental considerations made by any company that wants to play in the IoT space. At a minimum, companies should find where their threats lie and build processes to reduce those threats. Releasing information to consumers around what they’re working on fixing and what the consumer is still vulnerable too helps as well. There are currently no laws we’re aware of that would force companies to disclose that information to consumers, but companies like Synology, 1Password, and Microsoft do an outstanding job of keeping their consumers up to date about what they're working on and what they have remediated.

In Summary

This years’ RSA Conference centered around a few main points that were reiterated throughout the entire conference. GDPR is here to stay, so how do companies cope with it? Security for DevOps was a major concern with them as well, with questions focused on how to get teams to work together, whether they are focused on development or security. Additionally, how can we automate some of the processes involved in developing secure applications? We can help with this point. Lastly, the overall impact of IoT was ever-present, with everyone asking questions around where security in the IoT space is going and how we believe it needs to get there. Did you find these same themes echoed at RSA? Are there things we should know or ideas we missed? Let me know



Nicholas Bates

Nicholas is The Writing Writer, or Tinfoil Security's new Technical Content Writer. He has a background in network security where he worked as an engineer for 7 years before joining the Tinfoil team. As a father of his 3-year-old daughter, when he is not writing you can find him hiking with his family, or practicing Jiu-Jitsu.

Tags: security DevSec DevOps


You've Got the Swagger, We've Got the SaaS

API security scanning changes today. Tinfoil Security is launching our new patent-pending API Scanner! After astounding feedback from developers leveraging our scanner and rigorous testing, we are proud to offer our scanner to the public. We are giving developers and companies the ability to scan and secure APIs with two different methods of deployment: on-premise and SaaS. We are very excited to invite you to see the API Scanner in action. 

As a clarification, we’re talking about web-based APIs such as REST APIs, web services, mobile-backend APIs, and the APIs that power IoT devices. We are not targeting lower-level APIs like libraries or application binary interfaces - a crucial distinction to make. The sorts of security vulnerabilities that affect web-based APIs are going to mirror the same categories of vulnerabilities we’ve spent the past eight years defending against with our web application scanner.

We’ve built a security scanner that understands how APIs work from the ground up, how they’re used, and most importantly, how they’re attacked. Existing solutions use a web application scanner to scan APIs, but that approach does not take into account the unique nature of APIs. Just as web applications can be vulnerable to issues like Cross-Site Scripting (XSS) or SQL injection, APIs can also fall prey to similar attacks. It isn’t quite that simple, though, and the nuances of how these vulnerabilities are detected and exploited can vary drastically between the two types of applications. In the case of XSS, for example, the difference between a vulnerable API and a secure API depends not only on the presence of attacker-controlled sinks in an HTTP response, but also on the content-types of the responses in question, how a client consumes those responses, and whether sufficient content-type sniffing mitigations have been enforced.

APIs also aren’t discoverable. Unless you’re one of the dozen companies in the world with a HATEOAS-based API, it isn’t possible for a security scanner to load up your API, follow all of the links, and automatically discover all of the endpoints in that API. The parameters expected by those endpoints, and any constraints required by them, are even harder to discover. Without some way of programmatically acquiring this information, API security scanning simply can’t be automated in the same way that web scanning has been.

To deal with these discoverability issues in APIs, we looked at standards like Swagger, RAML, and API Blueprint. We’ve found that Swagger (now known as the OpenAPI Specification), in particular, is winning out as the standard for API documentation. In response, we’ve designed our API scanner to ingest Swagger documents and use them to build a map of an API for scanning. Doing so solves the issue of being unable to crawl an API. It also allows us to scan APIs with a higher level of intelligence than black-box dynamic web application scanning has ever been able to.

We have addressed authentication issues using something we call authenticators. We’ve distilled API authentication down to its foundations; whether that’s as simple as adding a header or parameter to a request, or as complex as performing an entire OAuth2 handshake and storing the received bearer token for later use. We’re then able to chain together all of the authenticators, incrementally transforming unauthenticated requests into authenticated ones. Having such a nuanced understanding of all the steps of an authentication workflow lets us detect when any of those steps have failed, and when the server isn't honoring any of them. This allows us to fuzz the individual steps of an authentication flow, providing a powerful tool for determining authorization and authentication bypasses.

Some features that will get any developer excited: 

  • Intelligent payload generation
  • A powerful REST API to control the scanner and its reports
  • First-class support for API authentication workflows. 

What we mean by intelligent payload generation is parameter fuzzing that takes into account the schemas of the parameters, e.g. types of parameters, constraints, whether the parameter is required, and valid inhabitations to name a few.

In addition to vulnerability scanning, our scanner also performs correctness checking and looks for bugs to reduce an API’s attack surface. With full integration into your existing CI/CD pipeline, we create and track issues and vulnerabilities easily, allowing your teams to focus on what’s most important to your organization.

You can, for the first time, secure your APIs with a scanner that was built specifically for APIs. We’re not just pointing our web application scanner at your API and calling it good. Our API scanning is intelligent and thorough. By using your API’s specification as an outline, we focus on security vulnerabilities as they manifest themselves within APIs. This means fewer false positives, a higher degree of coverage, and a better understanding of the risk posture posed by your APIs.

There is every reason to give our unrivaled API Scanner a test drive, and you can do it right now. For a more detailed feature breakdown, please refer to this post



Nicholas Bates

Nicholas is The Writing Writer, or Tinfoil Security's new Technical Content Writer. He has a background in network security where he worked as an engineer for 7 years before joining the Tinfoil team. As a father of his 3-year-old daughter, when he is not writing you can find him hiking with his family, or practicing Jiu-Jitsu.

Tags: Free Scan Launch DevSec DevOps


Do good with your data at RSA, with Tinfoil Security!

We’re at RSA this year for another episode of “Do Good With Your Data.” There’s one more day left in the conference, and dropping by our booth comes with a little extra for every badge we scan.


Last year, we took the opportunity to use your data to do good. For each badge we scanned, Tinfoil Security donated a meal to those in need, right here in San Francisco. We provided meals to the hungry for more than 3 months!


This year, our community partner is Humane Society Silicon Valley! With each unique badge scanned at RSA, Tinfoil Security will make a donation to our furry friends in need. HSSV has been serving our local community for over 80 years, and was recently celebrated as the first model shelter in the nation. Tinfoilers love this particular location, volunteering their time and fostering an array of animals. We’ve had kittens and dogs that are small, sick, three-legged, and even blind!


To help us with our mission this year, we have advocates, Grace and Hopper, from HSSV. Both are young adult cats looking for their forever homes. Come by for a kitty break and learn more about them, HSSV, and Tinfoil!


More about our mission:


At least once during this year’s conference, you’re likely to scan your badge for free swag - a pen, a beer, a t-shirt, or the chance to win a prize. Every year, we are astonished at how much companies had invested in items that would hopefully attract your attention so they could partake in a swag exchange to get hold of your data. Many items you might collect are fun and useful - we love the nerdy things! However, our goal is to encourage you to think about how much data you share when your badge is scanned, and what you are willing to give up for it. We want you to ask yourself: “What is my data worth?”

Don’t want your badge scanned at all? Come to our booth (#3216 South Expo) and we will show you a hack to protect your data! We will also be giving away free pens, stickers, and tattoos - no badge scan required!


In case this is your first time hearing about us:


Tinfoil Security provides security tools for developers and DevOps teams. We integrate into your current development workflow, empowering developers to find and fix vulnerabilities as a part of their normal development process. Our goal is to increase bandwidth for your security teams while training developers to code more securely and treat vulnerabilities as normal bugs. Whether you’re building web applications or APIs powering mobile backend servers, IoT devices, and web services, we have a dynamic vulnerability scanner that’s right for you and your team.


More about our 2019 Community partner: Human Society Silicon Valley


Humane Society Silicon Valley (HSSV) is an independent, privately funded, 501(c)(3) non-profit organization serving people and pets for over 80 years. HSSV offers quality adoptions, affordable spaying/neutering, vaccinations, microchipping services, pet care services, and education programs to enhance the human-animal bond. Established in 1929, HSSV has adopted more than 500,000 animals into permanent, loving homes.


You can make a donation directly at: http://hssv.org


Don’t forget to visit Tinfoil Security at our RSA Booth # 3216 (South Expo).


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.


Unique Benefits To Attract And Retain Strong and Diverse Candidates

Preface: I’m not a lawyer. Consult a tax and/or employment law attorney before implementing any new benefits. You can also check out the IRS guidelines to how fringe benefits are taxed. 

Being a startup is tough. Sometimes you don’t have enough cash, or time, but you need the best people possible to build up your product and make sure you are competitive. We’re always trying to think of ways to reward our employees without breaking the bank, while also showing how much they matter to us and how much we value them.

The biggest cost we face is losing an employee. When an employee leaves, we lose some of the knowledge that they have. Even if we’re great at documenting that institutional knowledge, we’re never perfect. Even interns at Tinfoil often work on big-picture, large-scale projects that affect the whole business. 

We have spent a lot of time exploring standard and fringe benefits, assessing how they can affect employee happiness. We also believe that people of differing backgrounds add different perspectives, leading to a stronger company and a stronger set of products. These benefits help us recruit a diverse company, with many of our current employees being LGBTQ+, international, or women. Other security companies struggle to find diverse candidates (e.g., cybersecurity is comprised of only 14% women). We feel like we’ve started down a good path.

Outlined below are some of the benefits we’ve tried in the past, or currently have in place, along with the advantages and pitfalls you might encounter.

Background

We’re a 7+ year-old company, based in the San Francisco Bay Area. We raised a seed round in 2011, but are currently profitable and have not needed to raise a Series A. Many of these benefits were implemented before we hit profitability, and ramped up slowly so people remain excited about what is next.

Healthcare

Overview

Healthcare, vision, and dental were required benefits when we started Tinfoil. Our first employee wouldn’t have joined without them.

Amount we put toward benefit

  • 85% of a base plan for medical (typically, the best gold we can offer). Employees can get $0 premiums by choosing a less robust plan. 
  • 100% of vision.
  • 75% of dental.
  • Dependent coverage of 50% (for all of the above)

Why?

We didn’t want to cover 100% of the best plan we could, because we prefer folks have some skin in the game and pick the plan that’s most appropriate for them, rather than just picking an expensive one they don’t need or won’t use. We also wanted to make sure that we could help cover the cost of dependents. We didn’t want to cover 100%, in order to make sure we really were better than the healthcare offered by their spouse’s plan (if their spouse’s employer provided healthcare).

Benefit to employees / company

The benefit to employees is obvious, but companies also benefit from healthy and happy employees. Healthcare can affect one’s financials, and if an employee is worrying about their finances, that’s time they’re not spending focused on the company.

Who it affects

Every employee

Pitfalls

If you don’t pick a good enough plan, or if you don’t cover enough, some employees may not feel comfortable joining your company.

Employee response

We’ve never had any issues with the amount we cover, but we have had some issues with the provider we pick. We were using Anthem and our employees chose to cut back the % we cover (though it would cost them more) to have a more reliable provider whenever we had to submit for out-of-network costs. We ended up with Blue Shield and had more profit the following year, so brought the employees back to 85% coverage (from 75%).

Anything else to watch out for

Be attentive to your employee’s health. You can’t ask how healthy they are, but if they mention they’re concerned about covering healthcare bills, be proactive in helping them fix the issue.

FSA (Flexible Spending Account)

Overview

An FSA is a Flexible Spending Account. Employees can put money into this account, pre-tax, and use the money on healthcare related items. At the end of the year, any leftover money can be rolled over into the next year (if your plan allows a rollover) up to a maximum amount. Anything that’s unable to be rolled over is forfeited to the company.

Amount we put toward benefit & Why

We added an FSA for one year, allowing for up to a $500 rollover (the maximum federal allowance). We cut it because so few people used it, and those who put money in didn’t end up using it.

Benefit to employees / company

This is a benefit that allows employees with high or consistent medical expenses to pay for those expenses pre-tax.

Who it affects

All employees, except founders and highly compensated individuals (generally those making $120k salary, or those owning 5% or more of the company, but there is a whole list of stipulations defining highly compensated individuals; again, talk to an attorney for further assistance).

Employee response

Some employees were excited to get their glasses pre-tax, but our team happens to be generally healthy. Few employees put money into their FSA, and those that did didn’t use the full amount in it. 

Family Planning Assistance

Overview

We provide assistance for family planning, including egg freezing, IVF, adoption assistance, surrogacy, sperm freezing, vasectomies, etc. The benefit needs pre-approval by the founders / HR ahead of time, though we would like to get a good automated system set up.

Amount we put toward benefit & Why

$5k/year with a $25k lifetime max

Benefit to employees / company

This allows any of our employees to build their personal and family lives any way they see fit.

Who it affects

All employees

Pitfalls

You have to tread lightly when it comes to reproductive health, and you can’t ask for proof of use of this benefit, which is why external platforms are helpful to implement. We also highly recommend only executives or HR receive approval requests to avoid any potential discrimination.

Employee response

Our employees were surprised when we added this benefit, and it led to a lot of interesting debate. From that debate, we added coverage for things like sperm freezing, vasectomies, etc. We also leave our policy open to be modified at any point in time, and keep our doors open for any benefit suggestions.

It has been great for LGBTQ+ and female recruitment. Even if somebody doesn’t end up needing it, they appreciate that there is a support system set up for them and others like them.

Anything else to watch out for

There are many reasons why companies implement this benefit. If your intent is to delay motherhood or get women to work longer, you’re setting yourself up for a toxic culture. You also have to be careful about how you message these benefits, so that the intent is not misconstrued.

You can also consider covering additional allowances for services beyond the norm. For example, you may discuss whether or not to cover the FDA approval process for egg or sperm donation. Going through this process allows employees who never use their eggs or sperm to donate them to a friend, family, or other person in need. There are other caveats like this that you’ll want to consider and decide whether to include, and whether to add additional funding toward them.

There are a lot of platforms to help you with family planning assistance to avoid some of the legal headache of managing reimbursement for health. Unfortunately, we found most were cost-prohibitive for us and didn’t cover everything we wanted to cover.

Sadly, this is a taxable benefit. Your employees can submit it as a healthcare expense on their tax returns to hopefully recoup some of what is lost with the initial benefit payment.

Charity Match Program

Overview

One of our values at Tinfoil is community. We believe in making sure we support our values and any community our employees are a part of. As such, we’ve established a charitable donation match program. 

Amount we put toward benefit & Why

We match up to $1,000, annually, in charitable donations made by an employee.

Benefit to employees / company

This allows our employees to support causes they care about and shows our support for them and their beliefs.

Who it affects

All employees

Pitfalls

We once did a fundraiser at a conference where, for each badge we scanned, we bought a meal for the homeless. One person (out of the thousands we spoke with) said that giving to the poor causes them to stay poor forever. Though we could debate this topic forever (especially given that we were donating meals rather than cash), there will always be somebody who doesn’t believe in giving to charity. That’s ok.

We implemented this through our benefits and payroll provider, Gusto, which helped to make sure that the giving by our employees is anonymous. Gusto knows how much they donated, and matches it for us, but we don’t need to know, and we prefer it that way. Employees are free to support any cause they believe in, and we will match it, as long as it is a 501(c)(3) nonprofit.

Employee response

Not every employee takes advantage of this benefit, but those that do, love it. The response, in general, has been really positive, and people like the fact that we ‘put our money where our mouth is’ with regard to supporting the community around us.

Fitness Reimbursement

Overview

Healthy employees are happy employees. We encourage folks to regularly exercise, and will reimburse for any exercise class, including gym memberships, dance classes, exercise classes, Brazilian Jiu-Jitsu, etc.

Amount we put toward benefit & Why

Up to $80 of expenses spent each month.

Benefit to employees / company

We all get healthy! When an employee starts exercising, we’ve seen their productivity increase significantly within weeks. We also love when they become passionate about a new hobby and can teach everybody in the office something new.

Who it affects

All employees

Pitfalls

Some companies only cover the cost of gym memberships. This limits who can use the benefit. Open it up to include lots of different sports and hobbies!

Anything else to watch out for

We have an attendance requirement for this benefit. You must print out your attendance or have your instructor / trainer sign off that you’ve attended at least 4x/month or 75% of offered classes, whichever is lower. This allows some employees taking a 1x/week class to attend 3 classes a month and still get reimbursed. There is flexibility on this policy if you’re traveling for work and can’t attend your usual classes or gym.

This is a taxable benefit, so make sure you’re tracking it correctly. Talk to an attorney.

Long Term Disability

Overview

It’s important to remember that not everybody is healthy and if one of your employees does have a lasting illness like MS, debilitating cancer, etc., they should still be supported somehow. Long term disability insurance allows your employees to receive a portion of their salary if they’re unable to work again.

Amount we put toward benefit & Why

We cover 100%. It’s a reasonably affordable benefit, but really gives us the ability to support our employees in the case of an unforeseen, disastrous event.

Benefit to employees / company

This gives us all peace of mind, and allows us to focus on the big picture of the business, rather than worrying about our personal life and finances.

Who it affects

All employees

Employee response

Employees who have had family members with debilitating illnesses at any point in their lives appreciated being given LTD.

Anything else to watch out for

We don’t do short term disability (STD), because CA-provided STD is better than anything we can buy. As we expand our employee base outside of CA, we’ll consider adding short term disability.

Fun Items to Check Out

Overview

To prevent burnout, we want to encourage people to go out and do fun things outside of work. We’ve started to purchase small things for the office that employees can check out for the weekend or a short period of time. Examples include an ice cream machine and inflatable kayak (+ life jackets + paddles). 

Amount we put toward benefit & Why

There’s no set amount, but as we have started to add items we have started to keep track of them.

Benefit to employees / company

This allows employees to use something they could buy themselves, but would rarely use. 

Who it affects

All employees

Pitfalls

Make sure you have waivers for specific items, and a sign out / return sheet. Each item must be signed out and, if it isn’t returned, it must be replaced by the employee. Accidents happen, so if an item breaks we are lenient and don’t make the employee replace the item. Most things are under $100 on Amazon, so they’re easy and quick to replace.

Employee response

Some things are rarely checked out, and some things are checked out regularly. It’s nice to have a variety of items to offer.

Educational Stipend

Overview

One of our values is curiosity. My co-founder and I started Tinfoil with the goal of wanting to learn something new every day, and this is one way we can help our employees achieve that goal for themselves. 

Amount we put toward benefit & Why

We provide up to $5,000, annually, for furthering education. This must be manager approved, relevant to your work (though it can be a broad application), and must be paid back, on a prorated basis, if you leave within one year of the end of the training.

Who it affects

All employees

Pitfalls

Make sure you ask for proof of completion of the course before you reimburse, or a passing grade if an exam exists. We always want to see our employees finishing what they start before we cover new education adventures.

Employee response

We’ve had employees take $10 Excel courses and $500 coding courses. We’ve also had some of our employees without college degrees begin to pursue those. We love seeing them grow when they’re given access to something they wouldn’t have otherwise.

Anything else to watch out for

Federally, the maximum amount you can pay toward education for your employees before it’s taxed is $5,250. Make sure you’re within the law, and tax it correctly; talk to an attorney.

401k

Overview

A 401k is a simple retirement plan. Most employees will likely partake in a 401k, unless they are foreign and face unusual tax implications.

Amount we put toward benefit & Why

We match 100% of the the first 3% of an employee’s salary that they put into their 401k, and 50% of the next 2% of their salary. So if an employee puts 5% of their salary into a 401k, we match 4% of their salary.

Benefit to employees / company

Employees are able to build up their retirement plan pre-tax (using a traditional 401k) or post-tax (if you choose to offer a Roth 401k option), while also getting a match for a percentage of their salary.

Who it affects

Potentially all employees.

Pitfalls

Companies can run into a lot of issues with non-discrimination testing, so we’d highly recommend implementing a Safe Harbor match, which removes the need to worry about non-discrimination testing. Talk to an attorney.

Employee response

Our employees were ecstatic when we added the 401k. 

Coming soon:

529 College Savings Plan

Once we have more employees with children, we’ll be offering college savings plans. Gusto now provides this with Gradvisor. It can allow employees to save for college tuition, or to save for education for family members pre-tax; it can also be used to save for certain K-12 programs and expenses as well.

Life Insurance

It’ll be awhile before we are able to add life insurance. For a business under 50 employees, most life insurance policies we looked at were cost-prohibitive or didn’t cover enough. Our employees are hoping for life insurance policies that cover a multiple of their salary, rather than a fixed amount.

More fun items to check out

There are always more fun items employees could check out to use on the weekends. When we’re around 50 employees, we’d love to get SF Zoo passes and Monterey Aquarium passes. A lot of family-friendly organizations allow businesses that donate to receive bulk tickets / transferable tickets as thanks. This allows us to work toward our community value while still providing thanks to our team members. 

As with anything HR related, there can be issues. Be quick to respond to concerns, and always keep an open-door policy. Employees may come up with something brilliant for your team you just haven’t thought of yet.


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.