Request for Input: Securing the Zcash Ecosystem

We need to separate privacy from security in this conversation.

Security is not all about testing. In fact, security testing is pretty useless to make software secure (odd thing to say about my own job, but it is true)

This post is about security specifically.

You can only get secure software from secure design and defensive/secure coding. Security testing is meant to verify this has been done.

I think @zebambam put it best with this entire post. I dont want to quote it all, but please read it again. - Application for Major Grants Review Committee - #41 by zebambam

Security has to start with Security Engineering and Security Research, the whole time being supported by Security test. - I have a few ideas, zcash is in a slightly different and much better position than most.

Ive been trying for ages. Hopefully you will have more luck. (in fact I think i had a massive whine about it - not like me, huh.

Also this:

@holmesworcester may I suggest that whoever is in on those calls/comms has at least one person who knows about these types of companies, testing and reporting and can speak the same language.

This is in very early stages, but I would like to see a zcash test dept, that covers this sort of thing as well as milestones, signoff on features, test plans, test cases, etc. I am not sure of the logistics of this yet.

Other companies - Yes, contact me via PM. I dont want to advertise companies I dont work with or dox the ones I do.

Thinking more on this makes me think we need to do this ourselves (the finding the right companies) - bambams post I linked reminded me of a few conversations.

If we give XYZ company who does do crypto and other pentesting the jb of finding pentest teams and specialists, we are just going to pay 3 times for contractors. we want to be establishing long term knowledge if possible.

We have at least two “internal” development teams and no “internal” test team. - who does the testing out of interest?

1 Like