[cjCamel]

When dealing with sites where high trust is required I think people would much rather see an independent audit or compliance with a (legit) security accreditation than a Norton badge, however, most of the time this is not offered, so we make do with the crappy badge, a recommendation, or gut instinct.

Having said that, I deal with independent audits in my job, and they're not all that reassuring.

[3D4y0]

Pardon my ignorance or perhaps its just that I've become jaded, but outside of circumstances with dire/sever consequence such as laws, regulations, etc how does an independent audit (legit accreditation or not) verify what happens after the audit is done and the auditors long gone?

How does an independent audit detect out of band taps (swapping binaries, re purposing archives/backups, mirroring, etc) on infrastructure the auditor wasn't monitoring before the audit? logs? but more importantly amortized or not the customer eventually pays for all this activity that at the end of the day is more fluff than substance (in terms of what the customer can actually verify) In the end doesn't all this come down to just another form marketing?

Please note, that I recognize that there are many scenarios where an independent audit would add value. I just don't think it adds anything that social validation doesn't already add when considered from the perspective of a consumer to whom the infrastructure behind the service is unavoidably opaque.