I've proposed modifying build scripts and dev'ing app-specific fuzzers to the same non-profits that funded OVPN audits. Answer is always no.
-
-
-
Typical answer: "we'd rather pay to train the developers (through a report) than fund a bug finding CI tool that does it for them."
-
Any thoughts on why this is
@dguido ? -
IMHO because there's a misguided "Has it been audited?" chant without thinking about the bigger picture. It's a client education problem.
-
Is the client requesting this in eng, sec, or biz/other
-
Non-profits have a mission to ensure the tools they provide to at-risk people are safe. For example, seehttps://www.opentech.fund/
End of conversation
New conversation -
-
-
A core engine to ensure rigor/scaling of security is the BIG THING I feel more prodsec teams need. I've tried to build around it
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.