Be careful. It is easy to pay for an audit from a firm that doesn't have a serious cryptography practice. You would reasonably think that any software security firm would be competent in evaluating crypto, or at least crypto basics like whether you're using a sane block cipher mode or failing to authenticate your ciphertext. But it turns out that the opposite is true: the overwhelming majority of firms, including some of the best, have no crypto literacy at all. (The best firms that don't do crypto will tell you this and refer you).
We've seen some horror stories. It's hard not to get a little irritated when you're the second firm to assess a target and own it up on day 2 with a trivial CBC padding oracle.
All this means is, when you're talking to a potential auditor, ask them hard questions about cryptography. Ask them to describe some of the crypto vulnerabilities they have found on projects. If they talk about "weak keys" or "bad ciphers", they're unserious.
Zooko's team at Least Authority is a serious crypto practice. Engaging Zooko was a good call!
$1000 per auditor/day is less than you'd pay to get someone to run Nessus on your network from a normal firm. Zooko did you an _enormous_ favor. For crypto work, a rate four times as high wouldn't be out of the ordinary.
We will be conducting ongoing audits and also would like to conduct an audit (hopefully at least partially crowd-funded)on SJCL by itself. Thanks for this valuable feedback!
We've seen some horror stories. It's hard not to get a little irritated when you're the second firm to assess a target and own it up on day 2 with a trivial CBC padding oracle.
All this means is, when you're talking to a potential auditor, ask them hard questions about cryptography. Ask them to describe some of the crypto vulnerabilities they have found on projects. If they talk about "weak keys" or "bad ciphers", they're unserious.
Zooko's team at Least Authority is a serious crypto practice. Engaging Zooko was a good call!
$1000 per auditor/day is less than you'd pay to get someone to run Nessus on your network from a normal firm. Zooko did you an _enormous_ favor. For crypto work, a rate four times as high wouldn't be out of the ordinary.