|
|
|
|
|
|
by burkaman
3262 days ago
|
|
|
Yes, a security audit is an examination of an application and the processes around it. In this case passing means the application "is able to offer a good level of privacy and security. In other words, the Briar secure messenger can be recommended for use." |
|
|
"Audits" and "passing" make some sense for network security, where you can run a checklist of best practices and known vulnerabilities. But you can't really "audit" source code in the same sense, any more than you can contract someone to spend 2 weeks finding all the sev:hi crashers or data loss bugs in your database.
It would be good if organizations could stop pretending that "passing" a software security assessment was meaningful.
What you really want to know is how many person/days Cure53 spent on Briar, who Cure53 had staffing the engagement, what the scope of the engagement was (what components were off limits), and whether they found anything that was subsequently fixed (it's an industry secret that one of the reasons you do an audit is so you don't have to publish the "real" findings).
From the report, it looks like they spent 13 calendar days testing (it's not clear how many person/days were spent), of which only 3 were dedicated to cryptography, and the audit was constrained to the Android clientside code.
For perspective: the "industry standard" software pentest of a reasonably complicated web application is 2 people, 2 weeks.