SecureDrop installation & security audit


I had a good conversations today with a consultant from a French security company to figure out how they can be of help when installing SecureDrop for a new organization. My intention is to volunteer installation & training for a French media, as well as maintenance for the year to come. My goal is to be in direct contact with an actual user. It is something I need to really understand what is important. And I am convinced that it would be a waste to spend time & energy to install SecureDrop only to find that I made a stupid mistake rendering it insecure :slight_smile:

He took a look at the SecureDrop documentation and suggested the following steps would make sense.

  • Meeting to explain the installation context.
  • Meeting with the media to understand how security measures are going to be implemented.
  • Pen test when the installation is complete
  • Audit the installation every year

Since they do not know SecureDrop, they would need about a week to learn how it works and understand it well enough to provide a sensible service.

When reading the documentation, they will focus on:

  • points that have a security impact in the SecureDrop installation documentation
  • recommendations to maintain the installation so that security is not degraded

The cost for all the above (not including the recurring audit done every year) would be in the order of 10,000 euros. I’m curious to hear about other people experience. How did you make sure the SecureDrop installation is actually secure ? If you got help from security consultants, how much did it cost and what did they do ?


Good security people who don’t just check the boxes that say “used CSRF” and “has passwords” are pricey. If you can use a non-French company, Cure53 is 1) so good and 2) has done SecureDrop before so might not need as much ramp up time. 10,000EUR is only 50 man-hours of time which really isn’t that much all things considered.

1 Like

Good idea, I’ll contact them !


  • mails sent asking for availability & price for a pen test).
  • a single pen test for the app/mon servers only, with ssh access, assuming the app/mon servers do not host any other software should take less than 3 days and cost less than 3000 euros
1 Like

Sent a request to about a week ago, asking for a volunteer based audit but did not get a reponse yet.