hi everybody this is Charles Wisconsin broadcasting live from warm sunny Colorado I just wanted to make a quick video talk to you guys a little bit about the latest news of the day we always have cool interesting things coming out today we had the audit report from route 9b finally released so there are three files and I tweeted link if you guys go to our github repository its HK external audit you can see three PDFs available for download and one audit one download is the audit report itself so this is basically what they found it's about eleven pages long the second is our rebuttal to the audit report and that's about 13 pages long and then the third is confirmation of remediation so generally how security audit is done is that you'll negotiate a scope of the audit with the auditor so the techniques are going to use the capabilities of the adversary the particular code that they're going to look at whether it's a static or dynamic audit these types of things then the auditor will go and conduct that audit and they'll generate an audit report they provide that audit report to us and then they give us a chance to write a rebuttal to the audit report and this is where we either explain that it's not a concern to them we say hey that's that's right and we're gonna fix it or we say hey that's right and we're not going to fix that those are kind of your options with a security audit rebuttal then we write that down and then those those go to the auditor the author reads it and then the auditor says okay we agree with you and if you claim you fixed it we'll verify that or they say no we'd still disagree we think this is a problem and then all three of those documents are connected together and you produce a public release so you can have big audits you can have little audits you know you can spend lots of money on these things hundreds of thousands of dollars if not millions of dollars if you want to but generally regardless if it's big or small this is how an audit report is conducted so this was the first of hopefully many audits that we're going to do on a security side for Cardno and the foundation will be taking it from there and they're going to eventually decide and overall out a campaign between now and the conclusion of 2020 but for today we just got through the first one and this is actually the third time that our code has been audited the first time was by an auditor called grim the second time was by a Swiss auditor called Cadell ski and this is now the third audit done by a route 9b and it is customary to rotate auditors on a regular basis it brings new ideas and freshness it also it's a little bit of diversity in thought and it also prevents stagnation so route 9b is the primary auditor for the time being and I suspect others will come but we wanted to make sure that we're as transparent as possible so we've published all three we've been given a clean bill of health for the scope of that particular audit that they did and Charles Morgan will go into far more detail at the product update at April 30th when we do that live so he'll provide all that information to you guys and go through the audit report as written and in that repository the external audit ripple which I'll put into the description of this video and it's also available on our github page if you take a look at that that's where we're going to put not only this audit and have put this on it but all future audits that are done now you can do other audits as well you do process audits you can do documentation audits above and beyond security audits for example and we will begin a conversation between the technical people at the Cardinal foundation and our engineers about what is reasonable to have some oversight over and provide some third-party review about in particular I'm quite interested in assembling a red team for documentation about Cardinal so as we launched Shelly we are going to publish a bunch of updated documentation for Shelly and you're already starting to see some of that trickle out for example the the beta documentation of Dress dia for exchange listing so that's just one of many components that have to be clearly documented and we have Rob Cohen and others working very hard at basically making sure we get that done in scope for the launch of Shelley but documentation is only as good as those who consume documentation so it would be very nice to make sure that we have a proper Red Team form and that people are able to let us know where we have deficits in our documentation and where we can explain things a little bit more cleanly and clearly or if there are contradictions or holes for example in the documentation there are other things that can look at like for example code quality as I've mentioned repeatedly our code quality I feel is the best in industry and this is because we are using techniques and processes that no one else in industry is using so it would be interesting to get some third-party validation of that you know you can kind of armchair look at who's using quick check and who's using formal specifications and these things and it's obvious that not many people around are doing that and since we are following that process it would seem to reason that we are the highest quality but it would be nice for some independent validation so this is another example of an audit that could potentially be in scope so these are things that we and the Cardinal foundation will have some discussions about moving forward to see how much we can saturate in the external audit repo for third-party validation but overall the strategy has always been for science use peer review that is the most reliable third party validation that the science is correct for code make sure first you clearly and unambiguously write down what you want to do and that's why we have formal specifications and then use formal techniques to ensure that the code is high quality then externally at the very least make sure that from a security perspective the code has been examined by dedicated professionals and route 9b is a great company as well as Cadell ski and Grimm when they were there and route 9b has certainly well more than talented people who can understand Haskell code but also understand operational security code level security all the kinds of things that you'd really care a lot about when you're thinking about how do you deploy these things in practice and how will people I should be able to attack the systems so it was great working with them and we love working with any auditor regardless of who is selected and we're gonna work really closely with the foundation to make sure that we keep this momentum and we absolutely make sure that Cardno is the industry standard then every other project the people who own tokens in those projects will start demanding the same levels of quality and assurance that Cardno has so thanks for listening and I highly recommend you guys take a look at the audit report and also attend the product update on the 30th it's only six days away a lot of goodies are going to be there almost everybody's talking and they're talking about something some shellye news there so there's going to be a lot of good stuff there and and this is a one topic that's near and dear to my heart because it's a validation of the work we've done and in it really does show that we can clear a security audit so quickly that the code quality is very high quality so do take a look at these things and do attend the product update in six days thanks everybody take care
