[liberationtech] Recommend consultant to discuss pen test?
Maxim Kammerer
mk at dee.su
Fri Sep 6 09:36:04 PDT 2013
On Fri, Sep 6, 2013 at 8:03 AM, Tom O <winterfilth at gmail.com> wrote:
> Posting a news article without context or response from Veracode is weak.
That was just a reminder for a topic that has already been discussed
on this list. My main intention was to provide an example (in the form
of a post similar to yours) for Jonathan Wilkes' remark wrt. affected
reputation.
> Chris Wysopal stated the static crypto checks were run to check if the API's
> were implemented correctly, not implementation of custom keygen.
I am sure there are after-the-fact excuses. Since you didn't provide a
reference, I assume that this specific excuse if not something worthy
of attention. Veracode's report is here, if you are interested:
https://blog.crypto.cat/wp-content/uploads/2013/02/Cryptocat_Attestation_Veracode_20130222_final.pdf
Looking at the code is indeed not mentioned in the report, so it's all
fine, I guess — just make sure something like that is in the next
contract.
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
More information about the liberationtech
mailing list