Topic: list of security auditors in the community? (Read 1322 times)

I've been certified by BSI as ISO 27001 Lead Auditor

http://en.wikipedia.org/wiki/ISO/IEC_27001_lead_auditor

I do not do code audits, however, unfortunately.
I do not do formal ISO 27001 audits either, but can advise on implementation of a sane ISMS (information security management system) tailored to needs of companies using Bitcoin.

Existing auditors probably do have experience in websites, databases, public key-signed messaging and avoiding data theft.

The standard bitcoin answer to this is go do it, it is open source.

I disagree with this as a sentiment.  I hate to see duplication of work.  I am working on something similar to what you want, the bitcoin testing project.  however, we are a small group.  I do understand the security is needed, but for that we need testcases.

come and join the bitcoin testing project, it will give you a forum for your ideas and I am more than willing to help flesh them out as testcases and best practices/gotcha's.  This is not my top prioroty, so if you do the leg work I can show you what to do.

It would really help the testing project (and therefore bitcoin) to work this stuff out.  I am still not too sure what you are trying to protect and under what circumstance.  Blanket best practices can cause more harm than good. 

for example:
Change your password every month.  - this is a myth, well it it now, it wasnt in 1980.  The idea behind the myth was it would take about two months on top hardware to crack a linux 8 char password.

Therefore it would make sense to change every month, your password cannot be cracked.

Now days, hashing algo's and encryption has advanced so far that it is a security _risk_ to change your password every month.  if you have a 20 char password (4 x 4 letter words) and include punctuation (long!pass#cant%crak) your are safe for years and years.

So this crap about having to have 10 chars 1 upper case, 1 lower case, 1 special char  is a good scheme, but if you have to change it every month, then you will end up using a keyring, writing them down  or stupid but memorable passwords.

pm me if you want an invite link to the testing project.  your ideas and skills will be welcome there

alright, i see what you mean, and indeed i wouldn't want to get the language confused if that's where things are.

but to your point, what i am interested in seeing is movement towards this kind of organization. therefore what might be incredibly useful is a group of NOT auditors, but people who possess knowledge useful to application and (perhaps) blockchain secuirty, standing at the ready to aid new developments.

No problem, nothing taken the wrong way.  I am pretty thick skinned anyway.

I am now not too sure what your goal is. Audit is a word that means something, and it is not really applicable in the sense that I think you mean it. I strongly feel that to misuse this word now will end up in a whole world of pain later. I do not think that you will be able to retrospectivly change peoples already misunderstood idea.

One of the main purpose/ipmact of having auditable critetria is to stop schysters and snake oil sales men.  (Unfortunatly they are also used as a pillow for execs to sleep at night.)

The ability to audit something is granted to an indvidual or company by an overseeing body. The  certification bodies will all have different requirements to pass and different levels to which a person can 'graduate too'.

These bodies (certification providers) define standards, and issue best practices (for those who cannot afford or are not able to get a 3rd party to do their due dilligence).

This is kinda against the whole idea of bitcoin - a central authority who says who can and who cannot play. (well to me anyway, who polices the police? this problem was solved by satoshi by not having any police, only and algo, and public record of everything.)

The only real auditable thing I can see in bitcoin is the blockchain and the blockchain interaction.  This is something I am trying to build into the bitcoin testing project from the start.

however I feel most of this post is irrelevant because I think what you are after is a list of people who are qualified to be able to do due diligence regarding bitcoin business. I imagine these people would be CISSP/pentester/etc.

I dont think the problem is the lack of these people and their desire to work, it is more people do not want to hire them, we will keep seeing more and more hacks until people realise it is cheaper in the long run.  The day a bitcoin exchange gets insurance is the day bitcoin will be here to stay.  I am doing my best to develop hardware to bring this day forward.

Basic security practices would include a security model, which can be reviewed. and pen tested. but this would have to be a case by case basis... _your_ security model is unique to _you_ I am 100% sure if genix saw these documents (they cannot be written retrospectivly) none of the issues would have happened.

If your post was to solve the bitcoinia debacles, then all, every single compromise would have been caught multipule times. and these are stuff like FIPS, etc. it is just in the bitcoin world there is no law saying you need to be audited. unlike Finacial Institutions. Real current releveant audits with real legal implications that would have caught all of the issues were not done.

but saying that, a documented security model would have caught all of them too. (again each one more than once)

The problem was the foundations were broken from the start (think win95)  and there was no security model to start.

the iso 90001 test process was more or less devised so people could audit testing.  an auditor would not be able to tell you that your product is good or bad, just they will all be identical. (by ridgily sticking to the guiidelines)

The good thing about having the auditable testcases and test requirements handled in the QA project space means that we can have bitcoin auditors, and genuine ones, no trust requirement needed.

It can present a clear a defititive security model open to peer review, peer implmentation and will allow mom and pop stores (i am english, its just i like that phrase) will be able to get johnny 5 stars from pc world to check over their setup, or even set it up.) but to make sure it is secure you have to do due diligence and/or trust a thrid party.  

A bitcoin auditor would only focus on the blockchain, like the website (CHECK/CREST/whatever) bloke uses OWASP.

I think I might have drunk a bit too much caffeine, sorry if i am rambling. but audit means audit.


cheers,

steve

I dont normally do adverts, but this is the best caffeine buzz I have had in ages, and I am not twitchy... he takes bitcoin, I have used him for years, he is a stand up guy.
thanks mh-uk. I make this in one of those coffee plunger things, leave to brew for 15 mins. you can add hot water 3 times (therefore brew 3 times) the second brew being the best tasting i think

my recipie
3 tablespoons Guayusa - caffeine and others (Ilex Guayusa)
http://mh-uk.net/page22/page22.html (save 10% with bitcoin)

2 teaspoons Blue lotus - added for flavour
http://www.mh-uk.net/page38/page45/page45.html  (save 10% with bitcoin)

2 teaspoons damania - flavour and calming
http://www.mh-uk.net/page37/page37.html  (save 10% with bitcoin)

Hmm, I wouldn't really make a web page about it but if someone maintains a dedicated list I'm ok being listed.
As for the price it would depend on the context, and on my available time

I'm ok with that

what kind of costs? would you be willing to make a web page about it?

personally i think one of the greatest services you could do to the community would be offering your services openly on this forum, on a pay-it-forward basis, but i don't expect many people to go that way.

however, we somehow need to address the fact of the matter that most bitcoin startups are going to be under- or non-capitalized, and that security failures (perhaps solved by audits that this 17 year old for example could probably not afford) are not helping adoption.

how about a site where we list the auditors and the individual companies they are consulting, which would not only build credibility and the possibility of profit, but make very visible who is responsible for each one.

I can audit any Rails app. But I'm expensive

I run bitcoin-central.net which hasn't suffered a single security issue since it started operating in december 2010, and this despite the source being open for all to see.

i really respect your opinion and feedback steve, so don't take this the wrong way:

i completely agree that there are incredible levels of detail to this, which are not covered by a blanket term like 'auditor'. however, i think that we need not get bogged down by this for the time being: what we need right now is smart people, documenting and talking about this openly, so that we can CREATE _bitcoin_ auditors. it's clear that not many people really know what that means yet, but i DO NOT mean to imply in my suggestion, that we suddenly generate a class of people with whom we suddenly give all kinds of trust.

trust and reputation must be earned, but we need to start somewhere, and i don't think we can wait for the perfect solution to manifest.

I would just add one little comment to the above excellent summary.

Bitcoin auditor paid in bitcoins would open itself to a conflict of interest charge.

So lets see who'll volunteer to become an auditor and just preemptively sue for the breach of fiduciary duty.

This is the year 2012 I do think this is doable. I'm just surprised this hasn't been done. Any business dealing with bitcoins should be givin a packet of the necessary information from security to marketing . I know the wiki is to provide this but we really, really need to provide a pdf version.   My believe is if we don't provide more information to help secure bitcoin related services/business's this is a bigger way to bring bitcoin down then anything I've seen. Just my 2 bits.

It appears this is a service someone could be paid to provide..

It's pretty basic, form a company with security experts, offer a security consultation service and/or security audits with insurance and you're golden.

unfortunatly it does not work like that.

audit has a very spesific meaning in the security world.  it is like a check list against a standard, with applied due dilligence for the particular use - with legal implications if passed or failed (or even just attempted)

for example you would audit against things like FIPS, etc.  however not just anyone can claim to be a security auditor (like they could a legitimatly call themselves a pentester, security tester, security expert, etc, because none of that shit has proper legal meaning)

In the banking world trust in auditors is gained from insurance against the companies and quite a lot of legal stuff.

Now, on to bitcoin, their are no standards to audit against, therefore no possibility of _bitcoin_ auditors. I and the small team I work with know enough to create devices that would pass FIPS testing if it was relevant.  (it is only in so much as the processing of transactions - data in motion, that can be lifted more or less as is from the current banking system) the data a rest stuff is unique to bitcoin.

There is no legal stuff either, this is also a requirement of an audit.

Due dilligence is also something that must be done in order to work out not only if the people can do the job, but to make sure they can do the required standards (that dont yet exist in the bitcoin world)

Solutions are being worked on. but they take time.  Security products have to be secure and no one can protect against stupidity.

hope this helps?

There are zero bitcoin auditors.  however there is a lot of talented people.  It is kinda a pet hate of mine (people misusing the word audit).

cheers,

steve

Maybe, there should be a directory sort of system we provide company's looking to get into bitcoin.  Can feature Auditors have a list of people as such , Security Experts has a list as such and on and on. I like your thinking.

can you guys who are able to do this kind of stuff come forward? can you be called upon to audit new bitcoin apps when they come out, for a little coin?

how can we trust the auditors? what system should we use to measure and track that?

let's start getting this stuff organized, or we're just going to keep having more and more of these stupid, annoying, painful problems.