Bonjour,
I had a good conversations today with a consultant from a French security company to figure out how they can be of help when installing SecureDrop for a new organization. My intention is to volunteer installation & training for a French media, as well as maintenance for the year to come. My goal is to be in direct contact with an actual user. It is something I need to really understand what is important. And I am convinced that it would be a waste to spend time & energy to install SecureDrop only to find that I made a stupid mistake rendering it insecure 
He took a look at the SecureDrop documentation and suggested the following steps would make sense.
- Meeting to explain the installation context.
- Meeting with the media to understand how security measures are going to be implemented.
- Pen test when the installation is complete
- Audit the installation every year
Since they do not know SecureDrop, they would need about a week to learn how it works and understand it well enough to provide a sensible service.
When reading the documentation, they will focus on:
- points that have a security impact in the SecureDrop installation documentation
- recommendations to maintain the installation so that security is not degraded
The cost for all the above (not including the recurring audit done every year) would be in the order of 10,000 euros. I’m curious to hear about other people experience. How did you make sure the SecureDrop installation is actually secure ? If you got help from security consultants, how much did it cost and what did they do ?
Cheers