This is awesome. I'm sad that CryptoCat is getting slammed for this for being one of the brave few to post this online. I am sure there are an infinite number of "security-critical" apps which would fail an audit like this, but who never even thought to GET an audit -- much less post it online. The software development community is much stronger for being able to see professional stuff like this posted.
Does anyone know how much these audits typically cost, if you're not being subsidized?
Generally 10-50k is a good starting point for this level. Most firms are full up on work most of the time, but will often try to get interesting new companies or projects even if they're less profitable since 1) they can grow into better stuff 2) good for reputation and for retention of their own employees.
Compliance-only is usually cheaper; you can buy rubber stamps for <$10k.
It's important to distinguish that the places offering the <10k rubber stamps aren't really offering the same service (even if you concede that it's only for compliance).
Places like that are just running a scanner against your website. In the case of an app like this (which was an iOS app), you might find a cheap place to run it through a source code analyzer (either through a cloud-hosted service like Veracode, or by running an app like AppScan).
Assuming you wanted to hire a "respectable" firm to actually perform a real application assessment, I'd say it's closer to 30-50k.
If you look at the report, it was scoped at 3 man-weeks of testing (which in this case looks like it was 3 engineers for 1 week). Even if you don't include any additional overhead (like hours for the report generation, or project management hours), you're looking at ~24k just for the engineers effort (if they just priced it t&m, which hopefully they don't).
To be fair, this is a pretty exotic application though, compared to what a lot of other people might be working on. The scope for a project to test a more "normal" app would be less. Maybe even half that.
Right -- a $10k real audit is a "deal" of some kind -- either a firm trying to win future business with a discount, or an individual doing it directly (especially from overseas, or as a side job).
You can also get a better deal if 1) you're open source, and the audit becomes part of someone's portfolio 2) you provide really clear documentation, security model, etc. to make the process more efficient 3) your app is already well-architected so the security-critical part is small, and you only audit that part.
There's probably a 100x bigger pool of people capable of doing "IT audits" and "hosting environment audits" well vs. appsec for webapp or mobile app (or especially desktop app).
Does anyone know how much these audits typically cost, if you're not being subsidized?