Towards Better Security when the Stakes are High
iSEC Partners has always had a focus on making the internet a more secure place. We work with our clients to secure their systems, contribute to Internet Standards Bodies, and have published tools to help people make code correct from the beginning. As part of our goal to make the Internet a safer place, we've published the Liberation Technology Auditing Cheatsheet.
Aimed directly at fellow security consultants, it is intended to list additional technical issues to search for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a stock trading application), or technologies designed to be used by journalists operating inside repressive countries.
The goal is to have more people performing more vigorous auditing of applications that fit these criteria - identifying and resolving architectural issues that put people at risk. If you are an architect or developer of such an application, we also hope this list will also provide you with a critical look at designs and implementations that can create flaws in your own applications.
As we all know, security can't be bolted on - it must be architected in. We hope this work will ultimately improve the security posture of existing and in-development applications that people rely on.
Published date:  11 February 2013
Written by:  Tom Ritter