Application code, for better or worse, is still developed by humans. And humans are not perfect. Thus, complex code will never be perfect. And when you talk about code that is used to empower human rights activists, journalists, and civil society actors, assuming perfection can be dangerous (if not life-threatening) to the user of an application.
For this reason, OTF funds third party audits for all of the code related projects we support. We even offer to audit non-OTF supported projects that that are in use by individuals and organizations under threat of censorship/surveillance. We believe this is a responsible thing to do with public money, to assist the developers creating technology for social good, and more importantly the users fighting for Internet freedom globally.
The only thing that makes an audit even better is to make that audit public! Why?
The old argument for open source code is that “anyone can read my code”, report any bugs found, and thus open source is more secure. But the fact of the matter is that significant independent code review is rarely done. People are often too busy to donate their time towards reviewing a project’s code. Users want to use what they can and put their trust in the good faith of the developer. As proof, look to the OpenSSL / Heartbleed issue. It took decades to to be exploited but when it was it hit fast and hard. As it turns out, it was never audited and only a handful of people reviewed the code.
Audits + Transparency = Trust = Good Publicity
Responsibly disclosing audits after bug fixes are made is good! Users have more trust in an application if a developer can say, “We had a third party audit of our software and we fixed all bugs that were found. Look here is the report to prove it!” This is doubly true for users in repressive societies. With more trust, there is more likelihood of an application being adopted. This is good publicity.
That said, there are challenges to increasing our Red Team’s public disclosure. Right now, OTF gives the developers full discretion to decide if a full audit report is to be published publicly when they request an audit. It’s on us and you to continue pushing the movement of audit report and bug disclosure. More, sometimes auditors consider the full report, the number of hours, and the total cost of an audit proprietary and confidential information for competitive reasons. This is something we’ve learned on the way here. Moving forward, we’re making sure we work with auditors who allow us to disclose this information publicly. Despite those challenges, we’ve some really exciting things to share.
Over the past three years OTF has funded more than 30 technology code audits identifying 185 privacy and security vulnerabilities in both OTF and non-OTF-funded Internet freedom projects. To date we have invested more than $700,000 and plan to continue increasing our commitment to auditing tools that expand and improve Internet freedom globally.
Here are a few notable projects who’ve decided to release their OTF-supported audits publicly:
- Cryptocat: audit summary with links to full audit reports found here.
- Tor Project: hardening study found here.
- TrueCrypt: latest audit updates found here.
- GlobaLeaks: full audit here.
- OpenPGP.js: full audit here.
With the hiring of a new Director of Technology (that’s me, Chad!) we would like to reaffirm our commitment to sharing more information moving forward. We know we could be doing better here. Apologies for that. The issue has been time not motivation. Some things to look forward to in the coming months are full details from the past three years of OTF funded audits, articles about how these audits have not only improved code but changed the way organizations operate and, of course, the latest audits as they are finalized. Stay tuned and keep coming back here for more!