Multiple steps are involved to ensure a successful collaboration on a planned security consulting engagement. Whether it requires a security audit, limited security evaluation, or security by design consultation, the process begins by scheduling a call to clarify the in-scope components, areas of concern that are to be prioritized during the audit, as well as the overall project cost.
After an agreement is reached, we share the Audit Preparation Checklist and ask that due diligence be undertaken to finalize, as a minimum, the project’s documentation, design specification, test suite, along with identifying a stable audit target in the development roadmap. Adequate preparation for a security audit is beneficial in a number of ways, both for the purposes of a security audit and in reinforcing development best practices that provide long-term benefits to projects and teams. Furthermore, effective preparation reduces inefficiencies and enables our security research teams to focus their efforts and time on reviewing the security of a project.
Once the audit preparation steps have been completed, our project management team schedules a kickoff call for the project to confirm if the scope is clear for both the development team and our researchers, and to check whether there are any particular concerns/questions on the scope, schedule, or team. Shortly after, a communication channel (Slack, Discord, Telegram, etc.) is agreed upon and created. When the review commences, our researchers will use this channel to ask clarifying questions about the code and different components in scope. We will also periodically share updates regarding the progress of the audit. If any critical issues are found, they will be immediately communicated when they are identified.
As the review progresses, internal weekly check-ins or syncs are scheduled to hold pairing sessions and engage in knowledge sharing. Regular collaboration is crucial, as it helps researchers verify their initial leads in the early stages of discovery by asking their colleagues to peer review and investigate their preliminary findings. A profuse amount of notes are also taken during the review process to ensure they can be revisited later, when needed.
In the report writing phase, careful consideration is given to the audiences of the report, which typically consist of the client development team (technical), the client leadership team and stakeholders (technical/non technical), and the general public (technical/non technical). Several skill sets are therefore required to bring the report to fruition: The researchers add their findings to the report and share comprehensive details from their notes, specifically relating to the project context, areas audited, system design, code quality, tests, documentation, code comments, scope, and dependencies. The Project Manager, as well as a Technical Editor, also get involved in the writing process, prioritizing quality assurance by ensuring that the content of the report clearly documents all the research findings, is mindful of the aforementioned target audiences, and, most importantly, demonstrates a rigorous review and close knowledge of the scope. Our findings often highlight three key factors: what issues or suggestions we identified, what the implications of our findings are along with a risk assessment, and our recommended course of actions for remediating or otherwise mitigating the finding. Issues are typically findings that may result in the loss of funds, the compromise of user secret data or private data, or cause the system to function in an unintended manner, while suggestions are best practice recommendations for an area that can be improved to increase the overall security of the system. For a better understanding of the information included in the report, our security audit report guide offers additional insight and details. This can be read in conjunction with our annotated security audit report that showcases the different key elements of an audit report.
After the delivery of the Initial Audit Report, we remain available to discuss any questions or feedback that may arise, once the report has been reviewed. We then schedule the verification of the issues and suggestions in the report once we are informed that the suggested changes have been implemented. We also share a Verification Guide to help facilitate the review process for the Final Audit Report and encourage addressing the findings in a timely and efficient manner.
During the verification review, we assess whether the findings shared in the Initial Audit Report have been addressed. When this analysis is completed, we update the report and provide a Final Audit Report, which includes statuses that describe how – and to what extent – the issues and suggestions have been remediated or mitigated. We encourage that all findings be resolved and that the Final Audit Report be shared publicly, and published in whole, for the transparency of efforts and the advancement of security learnings within the industry. A list of audits we have completed and published is available here.
As advocates of privacy and security, we are also constantly experimenting with new approaches to publishing the security audit reports in order to make them more accessible and usable by additional audiences and systems. More specifically, we have recently created Bitcoin digital artifacts to prepare for the publishing of security audit reports in the form of Ordinal inscriptions (aka NFTs) to facilitate security audit reports to be inscribed on sats on Bitcoin.
By conducting comprehensive investigations and analyzing systems, we aim to identify potential vulnerabilities and assist with remediation or mitigation strategies, thereby reducing security risks and improving the overall quality of the systems we review. Performing security audits also demonstrates due diligence to stakeholders (e.g. users, exchanges, investors, etc.) by providing increased assurance that security is a priority. Additionally, security audits contribute to increasing the number of secure tools in our ecosystem, which benefits the users and helps educate the community by broadening our collective knowledge on common attack vectors and areas of vulnerability within various types of systems.