Who does OSS security audits?

Question

We have an exceptionally large code base of Java, "R", C++, and Javascript... and are looking to contract with an established vendor to do security audits and ongoing health monitoring. Is there a list of vendors that do this work (hopefully at a discount? funding is always tight).

mtmail · Accepted Answer

https://www.radicallyopensecurity.com/ ("Non-Profit Computer Security Consultancy") was mentioned on the frontpage yesterday. I have a friend working at https://www.bugcrowd.com/ that's probably the other end of the spectrum, being all enterprise with sales teams.

w10-1 · Answer

Sonatype (not an audit, but ongoing software supply-chain management)https://www.sonatype.comThey got their start from Java Maven-based projects and progressed via the Nexus binary repository.