Code audit

What do we mean by code audit?

A code audit is perhaps the most interesting secure development process out there, mainly because it has different meanings for different people. Code audit solutions range from automated audit tools (perhaps SAST could also be considered as a form of automated code audit?) to manual reading and analyzing each line of code by an expert.

Irrespective of the way people interpret its meaning, it’s one of the oldest and perhaps most effective way of finding flaws in your code.

In this section we will look at some nuances of the process, and how it can be a useful tool in your secure development arsenal.

Where do I start?

Take care of your embeds

If your application is statically compiling a third-party open source library, ensure that the audit process accounts for that. Here the expectation is not to audit all the compiled third-party libraries, but to be aware of the various interfaces or API calls to them. There should be no assumption that the library API interfaces will sanitize the input parameters unless otherwise stated in their documentation. Therefore such differences should be carefully considered and accounted for.

The audit report

Writing an audit report can sometimes be more of an art than a science. However your audit reports don not have to have the perfect formatting or even the best fonts, as long as you have the correct amount of information, they should be fine. Normally audit reports include the following information

What to do after the audit is done/ audit report is written

Now that your audit is done and the audit report is written, what we do next is the most important part.