← Back to context

Comment by hf

12 years ago

Over 300.000 LoC:

    ~/tmp/openssl-1.0.1g $ find . -name "*.c" | xargs wc -l  | tail -n1
      349834 total

This is too much by at least one order of magnitude. What's the going price for a crypto-level code review (I'm not even saying audit) these days?

Is all this code necessary for state-of-the art encryption or isn't it rather backwards compatibility baggage? If the latter: how much could be gained by splitting the project into '-current' and '-not'?

5 comments

hf

Reply
eliteraspberrie  12 years ago

The cost of a cryptography code review is about $5-10k per week.

  • hf  12 years ago

    Thanks! So how does this work: Say I have this project and I want it audited -- would you (or the company/person that you had in mind) give me an estimate like "I'd need 3 weeks for 25, 5 weeks for 50 or 10 weeks for 95% coverage" or do you simply analyse away for a week (or whatever time I'm willing to pay you) and try to find something?

    • eliteraspberrie  12 years ago

      I don't have personal experience with it, but apparently these things are booked months in advance, on a contract basis. The engineer doing the audit spends an agreed number of weeks finding as many problems as they can, and hand you a report at the end.

      1 reply →

  • dirtyaura  12 years ago

    That cheap? A freelance web/Mobile developer can charge over $5K per week, I find it hard to believe that you could get quality security code review for that price