Top internet security firm Trail of Bits has kicked off an in depth security audit of the Status v1 code base. They will be reviewing status-protocol-go, status-go, and status-react repositories focusing on high-risk elements, such as protocol, storage and keys.
Here at Status, implementing a comprehensive security strategy is of the utmost importance. In all aspects of the Status feature set; engineering has taken place with security as a priority. It is, after all, one of our Principles:
We don't compromise on security when building features. We use state-of-the-art technologies, and research new security methods and technologies to make strong security guarantees.
As we reach major milestones in development, after rounds of internal reviews and audits, we reach out to industry leading, third-party auditing firms to verify our sanity, and double/triple check the work that we do. These security audits are additional checks from objective third-parties, to help bolster confidence in the security of our intended functionality.
Our upcoming security audit will be performed by Trail of Bits – one of the leading security auditing providers around today. They have performed work for a number of high profile clients such as Facebook, MakerDAO, Golem, Compound Finance, NuCypher, Tendermint and many more.
They were also named as a leader in Midsize Cybersecurity Consulting Services in the Forrester Wave™, Q2 2019.
The review will focus on high risk elements of the Status mobile application; this includes items such as the soundness of the underlying protocol (including the first ever audit of whisper itself), how secrets are stored and accessed, the security around how blockchain funds are authorized, and a general mobile application security assessment.
In order to do this, Trail of Bits will employ a myriad of both manual and automated techniques to ensure breadth and depth of coverage. The team of experts will review key areas of the mobile application codebase with much of the focus in the Github repos status-protocol-go, status-go and status-react.
The audit has kicked off today and will take place throughout the month of October. Results will be made available after the 1st of November. However, to ensure an extensive and thorough review of the codebase, if additional time is required, results may be published at a later date.
High and critical issues will be reported immediately to Status. The Status team of developers will be on hand to fix issues as they appear in order to keep up with the audit timeline and scope.
All conversation around issues and their mitigation will be published after the audit is finalized.
Trail of Bits frequently develops automated tooling for clients when necessary for an engagement. In the past, automated testing tools have been produced, and delivered with the final report for continued usage by Trail of Bits clients. The exact tools delivered will depend on the requirements and constraints of the project and the capabilities of Trail of Bits, but should promote more effective security testing during and after the project.
Want to follow along with the Security Audit discussion? Have questions about scope? Join us in the Discuss thread here.
Or join us in the Status public channel #status-security