When a closed-source company hires somebody to audit their code, is the auditor forced to do it in the company’s office?

Let’s say that ACME, Inc. is making closed-source software. It’s closed for a reason (they don’t want it leaving their building other than in compiled form). Now, they are hiring some company/person to audit the code for them. How exactly is this done?

If I were ACME, Inc., I would want the audit person (or persons) to come to my physical location, get literally locked into a room with no Internet access, carefully frisked for any USB sticks or any other electronics both when they enter and leave. With cameras recording the screen and the auditor’s face/hands 100% of the time he/she spends in there, which is carefully looked at by my own employees as it happens and/or afterwards.

However, this sounds both demeaning for the person doing the audit, and also unrealistic for anything but the biggest and richest companies. (And with a security-conscious/paranoid CEO.)

I cannot imagine that they just ZIP up their source code tree and e-mail it to the auditor or something similar. Even with encryption and whatnot, this just feels horribly insecure. I would feel as if the second the source code is sent to the auditor remotely, it’s “left the building” and become “potentially public”.

How is this done in practice? Do companies really trust the security of the audit companies? As I type this, I realize how silly that sounds, since they are after all paying them to find flaws in their own code, but still, something about not controlling the whole process just sounds horribly insecure.

I wouldn’t be surprised if you answered that most companies these days just have a “private GitHub repo” to which they grant the auditor access in some GUI. But I would never, ever do that myself…

Why an invisible iframe to logout from Office in a Office phishing?

In a phishing page for Office account (login mimicking the normal login page and stealing the credentials through a simple ajax request, then navigating to a dummy public google doc), attackers have put an invisible iframe with the url

https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392 

Why would they do that? I don’t see the point.

Get User Photo, Name &Title of an office 365 group using SPfx

I am trying get the user details i.e. UserName, Title and Profile picture of users that belong to a office 365 distribution group.

I tried this code sample, but i get an undefined error i.e. msGraphClientFactory is undefined.

export default class HelloWorldWebPart extends BaseClientSideWebPart<IHelloWorldWebPartProps> {   public render(): void {     // ...      this.context.msGraphClientFactory       .getClient()       .then((client: MSGraphClient): void => {         // use MSGraphClient here       });   }    // ... }` 

Can someone suggest what i might be doing wrong or suggest an alternative to get the groups members and their user profile info like photo, name an title.

User passwords printed on paperwork at a dental office?

My dental office just printed my password (to their portal) on some checkout paperwork.

I asked on law stackexchange and it doesn’t sound like this is a HIPAA violation, but I am really curious if this violates other regulations or goes against known best practices, as it seems really bad security-wise.

It doesn’t feel right that they can even see my password.

Any thoughts / resources much appreciated.