“Audits cost too much”
We’ve seen what happens in the open source ecosystem when audits are deferred – those vulnerabilities assumed to not exist are discovered, and the aftermath is a project, community, and entire ecosystem in shambles.
If you ask those authors if they made the right choice deferring an audit, will they talk about the money they saved? The reality is, whatever they saved was then spent on the costly reactionary security services of recovering, consulting, and patching, or lost in brand reputation.
Since those reactionary services are both untimely and also do nothing to prevent future vulnerabilities, it should never be the first choice. As the saying goes “An ounce of prevention is worth a pound of cure”, and in technology no matter what you choose to do, the cybersecurity industry is going to make money off of your choice either way. The safer and cheaper option is security audits that can eliminate the need for recovery work and cost.
In terms of actual costs, these audits provide vulnerability discovery at rates competitive with bug bounties. For a similar cost per vulnerability, audits securely share issues with proof of vulnerability and provide custom fix recommendations alongside the rest of the audit report. Holistic audits save money by bundling work, tooling, testing, and review in one package, eliminating the need for multiple engagements and streamlining maintainer labor. You get more for your money- and it’s preventative.
For projects that don’t have a budget established for funding an audit, public funding can be applied for in which millions in funds per year are contributed towards the audits of projects that are meaningful to the open source ecosystem, and with the right partnerships provided at highly discounted rates.
Since those costs are manageable and can even potentially be covered by public funding, does it really make sense to keep deferring an audit? What other reasons might it be deferred?
“Audits take too much of your time and focus”
We’ve seen audits sometimes deferred by projects for fear of audits delaying their progress, interference with releases, or fear of maintainer time commitment. Additionally, there’s mystery around what an audit means for maintainer time investment. Project teams have enough on their plate as it is, wouldn’t an audit just add to their workload?
Audits can be done with low maintainer commitment and produce high quality results that strengthen community trust, making it a more marketable project overall. Moreover, audits are not just about code analysis, they are about building a relationship with auditors and improving the practices of the developers. The sooner that educational process starts, the sooner the benefits can be applied.
Well-run audits will also respect maintainers’ capabilities and time. When effectively managed, audits will maximize results for the minimal amount of time investment necessary on the part of maintainers. By employing standard security disclosure pipelines and using preferred communication methods, as well as providing fix support, audit teams shoulder the main work of an audit leaving only the bulk of fixing to the discretion of maintainers. The audit teams work not only as experts on the security of the code but as representatives of their work, open to collaboration and discussion when necessary. Audits can exist as a conversation between the project and the audit team in every sense, while still respecting the limitations of schedule and availability of project resources.
So if it’s all possible to do without major distractions to your development cycle and is worth the minimal time you do commit, what other reason might there be to defer the process?
“It’s too complicated to start an audit”
If you’ve decided an audit is the best route for your project, the natural next step is to do…what exactly? It’s a highly competitive sector, with lots of different firms vying for contracts. What kind of an audit do you need? What would be involved? What information would you need to provide, and is there any preparation required before starting? Is there a time where having an audit is too early? How would you even know who to choose when you don’t even know how far your budget can go, if you are even lucky enough to have one?
The process of requesting proposals, and then selecting the best one, is a high-pressure investment of time and resources that might induce decision paralysis. In trying to take the first step, the daunting task of beginning an audit may already seem a convoluted one.
Proper audits don’t start with execution though, they begin with getting to know a project and where it is. Sometimes it’s just a matter of sending an email and getting a discussion started. Sometimes the audit that is required is simple and based around best practices that can be provided to the developers to follow. Sometimes it’s just a matter of building a relationship with the auditors to know expectations better. Either way, the audit process is just as much about the journey – of making better decisions, better developers, and a better project just as much as assessing existing code and concepts.
But by connecting with auditors to start that discussion, you’ll be able to quickly and quietly identify what firms or organizations have your best interests in mind, which ones you feel the most comfortable working with, and how to manage the eventual budget expectations.
You’ll want to get to know the people handling the audit, as choosing your audit team based on singular factors- like brand recognition or cost savings- can lead to unsuccessful, short-term engagements that don’t serve your project or community and just drain your budget.
It’s best to base your decisions on previous experience in similar projects, and by meeting with funders and teams who audit frequently. By picking their brains, you can get a lot of valuable information about how your audit should be conducted, and by whom. Use the community in open source to inform your decision. This can all be handled for you as well by auditors who are passionate about open source projects like yours, who want to bring you up to speed to the state of auditing and security, primarily because your project is an important part of the ecosystem we all depend on, and securing your code is securing society.
Isn’t that worth starting the discussion?
Find out why OSTIF is the best answer for your audit questions: WHY OSTIF?
Reach out to [email protected] about your audit needs.