When you say team you are mixing lots of different skillsets.
- I suggested this in my application. It would be better to have a general purpose team with crypto ability, like NCC and use them to farm out the rest.
- Webapp pentesting is not cryptographic maths assurance which is not network segregation or HSM/container management, which is not the same as app development.
- all carry unique issues that need specialists (this is why OWASP was made, hardened PHP, etc.)
- Yes, I know a number of different companies that I could reach out to over this.
- I would like to see it organised, as in “this software needs to pass these requirements” - as outlined by the mgrc, then tested for by people with insurance and reputation in that area.
btw - your link. kinda 404’s but shawn explained removed image.
A great example of of this would be the bug you found. That should never have made it to security review. it should have been part of release test procedures. There is a lot of room for automation and manual conformation. but these test harnesses need to be built on an technology or device undertest. (that might translate bad. I mean. You build a test harness to test zcashd, or zecwallet, or if you are particularly brave and really good, libraries.)