Stanford Security Clinic logo

We provide pro bono digital security and safety consultations for the Stanford community. Hosted by Applied Cyber, the Clinic’s mission is to ensure

  • the sensitive data entrusted to your company or product remains private and out of the hands of attackers,

  • you understand — and are working to mitigate — the security risks your product or company faces, and

  • you think clearly about the safety of your users and the potential for abuse.

The clinic meets by reservation on Wednesdays at 5:30pm PT. We typically meet in-person in Huang 218 but can meet virtually when needed. To book a meeting, please email [email protected].

What we do

A clinic meeting can vary, but typically involves:

  • Threat modeling and infrastructure review — We’ll talk through your threat model, spanning both product security and — when applicable — corporate security. We’ll review your infrastructure and explore how you can minimize risk.

  • Data security model consult — We’ll assess the potential attack surface, data model and means of data storage, and backend design of your app from a security perspective. We’ll then tell you what to focus on to safeguard sensitive data as you add features and grow your app.

  • Live security testing — We’ll attempt to find vulnerabilities in your app that might enable an attacker to access sensitive user data, cost you money, or otherwise violate your security model. If we find issues, we’ll recommend ways you can remediate the vulnerabilities and secure your systems.

For applicable startups, we will also work with you to craft a safety model for your product. First, we’ll explore the specific harms and abuse your product might face, such as, spam, fraud, harassment, and stalking. Next, we’ll explore techniques to proactively mitigate these harms, ranging from automatic moderation systems to design changes. Finally, we’ll discuss how you can incorporate monitoring and observability into your stack to ensure that safety issues don’t catch you by surprise.

Note: A consult does not constitute an exhaustive security evaluation of your app. Rather, it represents a good starting point for the evolution of your service with the benefit of a security informed perspective.

About Applied Cyber

Founded in 2015, Applied Cyber is Stanford’s premier cybersecurity student group focused on teaching students practical skills in analyzing, exploiting, and defending computer systems.

Applied Cyber has had a strong track record of working with the Stanford entrepreneurial community to ensure that popular campus apps fulfill the data safety standards students trust them with. In recent years, we have found and disclosed dozens of security vulnerabilities to student startups and social apps and worked with them on fixes that protect student data.

Since 2020, Applied Cyber has also conducted authorized penetration tests of critical services within the Stanford University infrastructure. Engagement targets have included instructional support systems, Windows Active Directory, custom web applications, industrial and environmental control systems, and a smart home and IoT (internet of things) lab.

Over the past nine years, Applied Cyber competition teams have participated in over 80 cyber competitions, achieving top placements in more than 20 of them. Notably, we secured three consecutive National Championships in the Collegiate Penetration Testing Competition (CPTC) between 2017 and 2019, and attained third place in the National Collegiate Cyber Defense Competition (CCDC) in 2020 and 2022 before taking the championship title in 2023.

About the team

The Stanford Security Clinic is co-directed by Aditya Saligrama and Joey Holtzman.

  • Aditya Saligrama is the President of Applied Cyber and a coterm studying computer science with a focus in systems and security. Aditya helped bring home the CCDC National Championship in 2023 as Linux & Cloud Lead and leads web penetration testing on the CPTC team finishing 2nd place globally in 2024. Aditya’s work on finding security vulnerabilities in Fizz was covered by the Stanford Daily in November 2022.

  • Joey Holtzman is a sophomore studying computer science with a focus on systems. He is the vice president of Applied Cyber and is on both the CPTC and CCDC teams. Additionally, he holds the OSCP certification and enjoys hacking and building open-source tools and scripts.