You would not believe the # of times I've proposed this to clients and been shot down. Everyone just wants a report.https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/ …
-
-
Any thoughts on why this is
@dguido ? -
IMHO because there's a misguided "Has it been audited?" chant without thinking about the bigger picture. It's a client education problem.
-
Is the client requesting this in eng, sec, or biz/other
-
Non-profits have a mission to ensure the tools they provide to at-risk people are safe. For example, seehttps://www.opentech.fund/
End of conversation
New conversation -
-
-
Seems like there's a way to spin the CI tool as auto-generated reports, but it's hard to tell people what they think they need isn't right
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It's the difference between "I need piece of paper to show someone (above or outside of org)" and "I actually want to secure this thing"
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Misses that fuzzers also find bugs that can be used to train developers & verify developer training is/was working just as much as audits.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
We typically integrate both approaches if possible, code auditing + tapping in fuzzing...in testsuites ideally. Each gives its own results.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.