Jump to content
Gili

Security audit

By Gili, in Data Security

Recommended Posts

Gili    27

Gili
Posted

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team.

Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product?

Thanks,
Gili

  • Like 18

Share this post

Link to post
Share on other sites

Xinamo    3

Xinamo
Posted
On 1. 9. 2016 at 1:29 AM, Gili said:

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team.

Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product?

Thanks,
Gili

+1

  • Like 3

Share this post

Link to post
Share on other sites

Mark    7

Mark
Posted

At least an answer please? AFAIK "Security of our data is your utmost priority." We have questions and thoughts, yet there is not even an answer from the maintainers. This itself means a serious security concern.

  • Like 4

Share this post

Link to post
Share on other sites

Hemant Kumar    60

Hemant Kumar
Posted

Hi @Mark

Thanks for posting your query on our Forums. From a consumer point of view, we do respect your concern about security.

17 hours ago, Mark said:

"Security of our data is your utmost priority."

 Yes. it's true.

On 9/2/2016 at 4:59 AM, Gili said:

Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product?

1

We also thought of getting a third party audit of Enpass but eventually had to drop this idea for some time (so far). All this because Enpass supports so many platforms with a high frequency of updates (all together) and it is not possible for us to get every update audited because every successive update will invalidate the last audit done. Also getting the source code audited is very hefty in terms of time and expense.

I hope that helps answer your question.

  • Sad 1

Share this post

Link to post
Share on other sites

Gili    27

Gili
Posted

Hemant,

Thank you for your response.

I don't think anyone is expecting frequent audits. Once a year or every 3 years should be enough. As to the cost... that's the cost of doing business. The primary reason I skipped over this product was because it was both close-sourced and unaudited. Otherwise, I would have purchased a copy.

Gili

  • Like 9

Share this post

Link to post
Share on other sites

Ivarson    20

Ivarson
Posted (edited)
On 2016-12-01 at 5:48 PM, Gili said:

Hemant,

Thank you for your response.

I don't think anyone is expecting frequent audits. Once a year or every 3 years should be enough. As to the cost... that's the cost of doing business. The primary reason I skipped over this product was because it was both close-sourced and unaudited. Otherwise, I would have purchased a copy.

Gili

+1

If you choose not to share the source, its sorta up to you to pay some third party to review the code with NDA.

And as Gili said, no one expects reoccuring audits. Its mostly, or at least about customers needing to know that you've implemented cryptography in a acceptable way and of course that there are no additional ways in to a running process of Enpass.

 

Edited by Ivarson
  • Like 5

Share this post

Link to post
Share on other sites

Mark    7

Mark
Posted

Hermant,

I didn't say it's not true, just wanted to point that if it is then some response to these topics might help.

Actually I am not that concerned about anyone stealing the credentials to my favourite restaurant's website (I don't keep sensitive data in these programs), but nevertheless I am doing my homework in form of a "security audit". I am no security expert nor have access to the source code, but can still find the obvious things (database, encryption, cloud sync, communication, etc) which might make people a little bit less afraid of your software.

Even then, these days it's quite common that people are afraid of anything when it comes to their privacy. This is something that you should keep in mind when choosing not to do a third-party audit because <insert any reason here>.

  • Like 2

Share this post

Link to post
Share on other sites

gammy    5

gammy
Posted (edited)

+1

It's funny to hear that ensuring that your cryptographic product is in fact secure is not worth the effort.
Other apps come to mind: Signal, Telegram, Veracrypt.

All cross-platform, all frequently updated, all audited.
Oh, and they're all free.

Edited by gammy
  • Like 4

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing
×
×
  • Create New...