[Cryptography] How to solve the hen-and-egg problem

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jul 30 01:07:28 EDT 2015

Ralf Senderek <crypto at senderek.ie> writes:

>People I've asked for advice, how to get code review, seem to say that unless
>the Crypto Bone isn't used widely, nobody will have any reason to look at the
>source code.

Even if it's used widely, it may never get looked at. I probably don't need to
name names here for examples of OSS security apps where no-one ever bothered
looking at the code... come to think of it, the only well-audited apps [0] are
ones where the authors themselves take the time to do the auditing.
Occasionally someone will take a peek inside some code somewhere, and with
distressing frequency find security problems, but I'm not sure if anyone ever
sits down and says "I'm going to spend the next six weeks reviewing the XYZ
code base".

So you've (unfortunately) really only got two options:

1. Review it yourself (which includes using static source code analysers,
   Valgrind/ASAN, and every fuzzer you can run on it).
2. Pay someone else to review it.


[0] Excluding crisis-mode audits like the ones for Truecrypt and OpenSSL.

More information about the cryptography mailing list