Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Recommend consultant to discuss pen test?

Maxim Kammerer mk at dee.su
Fri Sep 6 09:36:04 PDT 2013


On Fri, Sep 6, 2013 at 8:03 AM, Tom O <winterfilth at gmail.com> wrote:
> Posting a news article without context or response from Veracode is weak.

That was just a reminder for a topic that has already been discussed
on this list. My main intention was to provide an example (in the form
of a post similar to yours) for Jonathan Wilkes' remark wrt. affected
reputation.

> Chris Wysopal stated the static crypto checks were run to check if the API's
> were implemented correctly, not implementation of custom keygen.

I am sure there are after-the-fact excuses. Since you didn't provide a
reference, I assume that this specific excuse if not something worthy
of attention. Veracode's report is here, if you are interested:
https://blog.crypto.cat/wp-content/uploads/2013/02/Cryptocat_Attestation_Veracode_20130222_final.pdf

Looking at the code is indeed not mentioned in the report, so it's all
fine, I guess — just make sure something like that is in the next
contract.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte



More information about the liberationtech mailing list