[ANN][AUDIT] AuditStarter - the main crowdfunding platform in software security

As part of the AuditStarter project, our CTO Dmitry Kotelnikov wrote a manifesto. We are really interested in your opinion on the idea to attract and interest the community of ordinary users in the problem of software security (especially in the field of blockchain, where, as a rule, there is no centralized support service that you can contact and get an answer - how, where and why the funds/data disappeared).

Manifesto

What do you know about software security? I think no need to explain how important this is. Every day you use software in which you are not completely sure. Hacks, vulnerabilities, theft of data and finances occur every day, and as systems become more complex over the years, the security problem becomes more acute. Now we are fully confident that the software developers themselves must provide secure code. And in this we are right, but not always it turns out. Checking code for security or searching for vulnerabilities is often more expensive than writing this code itself.

Large companies are actively moving in this direction, providing us with a safe environment (operating systems). They have funds for security, they are able to release security updates in advance and conduct checks. But even they are at risk for many reasons, one of which is manifested in the absence of an independent parallel verification. Companies rely on their own security department, which can work very inefficiently. In addition to large software & OS development companies, there is a user’s (custom) software. This market is huge, and it is also critically vulnerable in terms of security and user protection. As practice shows, even free software (open source code - anyone can check) does not provide the proper level of security: for years in use libraries & software with vulnerabilities. Developers very often rely on the competence of their colleagues or the community and use potentially dangerous code that no one has ever checked (an example of using the open source library with the vulnerability in whatsapp, which is still in use by many applications). As for the little-known software, the situation in it is even worse: the developers simply do not have enough money even for the simplest verification. There are many examples, but not here and not now. At the moment, I am trying to pay increased attention to this problem in general terms.

I believe that it is necessary to change the approach to checks and methods of searching for vulnerabilities and software security breaches. It is necessary to introduce new approaches, increase the number of checks, attract the necessary funds for security with the participation of all interested parties. Necessary checks must be made in advance, rather than waiting for hacking and loss of information, count losses and eliminate vulnerabilities after their use by hackers. In addition, I consider it necessary to reduce the cost of these checks and increase their availability. It is also necessary to change the approach of security specialists to their programs, moving from firefighting (fixing vulnerabilities after hacking) to fire protection (previously tested secure code).

At the moment, there are already exists a lot of the necessary software for the verification. Of course, its wider application is necessary. But no software cannot replace verification by human. Certainly, the checks do not guarantee the elimination of all vulnerabilities in 100%, but undoubtedly improves the quality and security of the code. Each parallel inspection also increases the probability of finding a vulnerability and increases the security of the software.

In the field of security, it is necessary to use blockchain technology, which will make it possible to create a unified decentralized database of signed verified software releases with a history of checks and verifiers. Also, the development of web3, requires enhanced integration between users and developers in the field of software security.

The main message of this manifesto is to get the attention of the user`s community to the safety of the software used. Users should not just rely on the integrity of developers. Users should be aware of whether the security checks for the software they use have passed. Users should be interested in bringing together user communities, developer communities, and software security professionals. Everyone will benefit from such a union. Users will have confidence that the software they use is safe, and developers will have confidence that their code is safe. Currently, user participation is necessary for many reasons, the main of which is the reduction in the cost of checks, an increase in the number of checks and feedback from specialists in the field of software security. The community of software users far exceeds the community of specialists in the field of software security. And even a small participation of users able to significantly improve security and become more confident in the future. Together we will make this world a little better!