Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Purely naively I would guess that it means during whatever audit they ran, no signs of insecurity were observed. Maybe it would be better to say that it didn't "fail" the audit?


You can't really fail an audit though. The point of an audit is to make your application more secure. Using terms like pass/fail just reinforces a sense of fear where there shouldn't be any.

A pentest consists of an analysis period, typically about a week. Then any flaws in your app are communicated to you, along with steps to reproduce them. When you feel you've fixed the issues, a retest is scheduled and the pentesters verify that each flaw has been fixed.

A healthy application is one that's pentested on a regular basis. Ideally after every release, though only big companies can afford that.


>You can't really fail an audit though. The point of an audit is to make your application more secure. Using terms like pass/fail just reinforces a sense of fear where there shouldn't be any.

I see, that's a good point I hadn't considered.


Want to guess how many audits Microsoft Windows "passed" before the SMB bug exploited by WannaCry became public? :)

That was one of the most heavily audited components too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: