Back to all posts
Security | Infrastructure6 min read

The Billion-Dollar DNA String: Engineering for Multi-Compromise Survivability

In the biotech industry, one string of text can be worth a billion dollars. A single genetic sequence can represent the entire foundation, IP, and product pipeline of a therapeutic spinout. If that sequence leaks, it’s game over. The digital representation of a biological candidate is the ultimate high-value target.

So, how do you build a platform for scientists that allows them to do their work securely with little to no friction? If security gets in their way, they will find a workaround. I feel like this should be some theoretical law found on page 829 of a third-year textbook.

And how do you build now that the attack surface extends all the way down to the dependencies that make up modern software and infrastructure? You could vendor everything, but then you get trapped in the eternal cycle of “update too soon vs. update too late.”

At BSD, we start with a unified platform approach. It’s a single point of entry managing a suite of modular applications consisting of Research, Design, Architecture, LIMS, Construction, Data, and even chat. Access is strictly granular; an investor can log in and see only the specific data relevant to their portfolio company.

Because our team is largely remote, traditional corporate perimeter defense is dead. An internal-only isolated network simply doesn't work.

Watching the relentless rise of supply-chain CVEs and the inherent fragility of modern cloud compute platforms forced a shift in my architectural philosophy. I started out building a standard Zero-Trust Architecture, but it eventually evolved into what I now think of as a Multi-Compromise-Survivability Architecture.

The premise is simple: assume systems will eventually be breached. If an attacker compromises one system, they should not be able to pivot into another. To gain access to raw DNA sequence data, an attacker must either be an authenticated user with explicit permissions or compromise multiple isolated systems simultaneously.

We achieved this through an application shell that handles the heavy lifting of baseline security:

  • The Core Stack: Built with Go, Zig, HTMX, and vanilla JavaScript. Without a package manager. We do not need one.
  • Identity & Access: Strict OIDC PKCE, role-based access control (RBAC), and mandatory MFA with hardware keys.
  • The Backend Split: Complete architectural separation between basic application logic and anything dealing with IP.
  • Physical Boundaries: Out-of-band (OOB) management planes, encrypted air-gapped backups and cold storage, and physical failsafes at the lab boundary.

The entire infrastructure is decentralized by design. It consists of an isolated secrets manager, an application server running containerized services with a tunnel connection, decoupled authentication and authorization services, a standalone git client, an immutable auditing database, and a small dedicated “manager” computer for secure CI/CD.

If any single one of these nodes gets compromised tomorrow, it’s fine. An attacker would need coordinated compromise across multiple isolated systems to exfiltrate and decrypt sequence data.

In biotech, a single sequence can represent years of research and an entire company’s future. The infrastructure should reflect that reality.