iSEC Partners, Inc. has conducted an assessment on the source code of TrueCrypt 7.1a disk encryption suite.
Testing the open source code, searching for bugs, vulnerabilities, backdoors and defining if the code is well written, iSEC has published a detailed report about the security of TrueCrypt available for download in PDF format at this address: LINK.
Results highlight that TrueCrypt suite does not contain backdoor or other maliciously implemented code to exploit and lessen the security of the cryptographic environment.
By the way, source code analysis evinced that the program is not perfectly well written, based on old compilers (1993 Vistual C++) , implemented using several deprecated functions and suppressing some important Warning messages.
These problems, even if don’t introduce a direct threat to the privacy and integrity of the data, may be cause of bugs and vulnerabilities in future growing of code implementation and complexity. Also learning curve for new programmers approaching to this suite is quite steep.
At the end of the assessment, 11 vulnerabilities were found in the source code but none of them has an high grade of risk or is easy enough to exploit.
So maybe we can assume that the TrueCrypt program is secure and usable but TC developers need to follow iSEC advices to better refactor the code and TC users need to read carefully the TrueCrypt documentation in order to implement cryptography in their system the right way to avoid different types of attacks to privacy of the data.
Now that the source code analysis is complete, phase two is up to begin: real cryptoanalysis. If you want to follow future development of this study you can refer to this website: http://istruecryptauditedyet.com/