[crimbles]

Interesting read. I will point out that having seen "security audits" done by top tier well known security companies, they aren't worth the paper they are written on. They are selling you a pen test script run, the output of which is farted into a document for the least amount of time they can expend on it.

If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.

[mratsim]

Disagree, their reputation is tied to their audit quality.

But I'm pretty sure in this case the scope was bad. Like they coukd have had audits on "Do I use OpenSSL well?" and then misrepresent that all their privacy claims were audited.

Now it seems like Skiff conveniently didn't allow Trail of Bits to publish their reports, they are usually here: https://github.com/trailofbits/publications/tree/master/revi...

Disclaimer, I have used Trail of Bits service in the past (and 2 other auditors for an security campaign on a blockchain, cryptography + networking product).

[jitl]

Really? That’s not my experience. I’m not denying companies are out there basically selling a rubber stamp like you say, but I’ve worked with sharp folks from Matasano and NCC Group who would go deep, learn from eng about system but also do blind red teaming, do physical pen tests etc. I think you’ll probably get what you pay for and get good results if you put in good effort working with them.

I can’t speak to Cure53 but I feel like I’ve seen that name on a few failed cryptocurrency thingies.

[crimbles]

I was actually including NCC in that one...