How to ratify & audit open source security

SpiderOak this month released its open-source cryptographically-secure cloud application development framework called Crypton.

This is interesting, but that’s not the point.

The software is essentially a method for creating privacy-oriented applications that can use any backend storage provider.

That’s still not the point.


Following a series of audits by security researchers at Least Authority and Leviathan, and subsequent vulnerability fixes, SpiderOak has officially released the software as an open-source framework to the developer community.

That, is the point.

How SpiderOak did what it did and ratified its software openly with audits by security researchers is the point.

It is common for software providers to undergo security audits to ensure the viability of a code base. However, it is extremely rare that the audit firm or its results are shared publicly for fear of public scrutiny and/or future accountability.

“As public awareness of online privacy and security issues grow, the software community needs to demonstrate that they have the capability to protect user data in the cloud. Our decision to make public the code and audits of this application framework is part of our commitment to full transparency and openness with the community,” said SpiderOak CEO Ethan Oberman.

“In the wake of major security lapses such as Heartbleed, for example, it is incumbent on companies producing frameworks and toolkits to adopt not just an open model but also an open audit model whereby the community can review, understand and work together to create and support the right foundation for these products.”

SpiderOak commissioned a series of third-party audits of Crypton’s open-source framework by security researchers at Least Authority, a company with experience building verifiably secure storage systems, and Leviathan Security Group, a risk management and security solutions provider.