KeePassXC Awarded ANSSI Security Visa

KeePassXC 2.7.11 has been released with a host of new bug fixes and improvements, especially around attachments, but perhaps the most notable news from KeePass is receiving a First-level Security Certification (CSP) from the French National Cybersecurity Agency (ANSSI).

ANSSI Security Visas are somewhat like code audits, but more comprehensive. In addition to rigorous tests from accredited laboratories (including penetration testing), Security Visas are also designed to ensure compliance with government standards.

KeePass's Security Visa is valid for three years and is recognized by French and German authorities. The audit report is publicly available.

This audit applies specifically to Version 2.7.9 on Windows 10, however it is a fair assumption that KeePassXC has put the same level of attention and detail into their other apps available on other operating systems.

This highlights one of the biggest drawbacks of code audits: they represent a snapshot in time of a specific piece of code. There is no guarantee that Version 2.7.11 didn't introduce some new vulnerability. That said, it's impossible to prove a negative. There's no guarantee that despite all the extensive testing that Version 2.7.9 is completely free of vulnerabilities.

Nevertheless, code audits remain an excellent heuristic for judging and vetting a service: if reputable experts spent sufficient resources on examining the code and have found it to be clean, functional, and well-executed, at very least this demonstrates that the entity behind the service is likely qualified, capable, and operating in good faith, meaning that they will most likely continue to do their best to keep their product secure and respond quickly to any problems.