At certain points in the evolution of any software, it’s important to get a set of expert eyes on its codebase.
Maybe you’re a founder and you built this app as you were learning to code, and you’ve always known you’d want experts to review your decisions. Maybe you’re concerned with the code you inherited from a previous team or offshore contractors. Or maybe you have an active development team, and you’re reading this thinking, “I’ve got a team of experts; why can’t they just audit their own work?”
Regardless of your current situation, there are many reasons why you may want a code audit:
In each of the scenarios above—even if your company has a team of experts—you have something to gain from bringing in an external team to perform a code audit.
Most code audits take place in the context of some sort of change. Your company may be scaling up; the organization of your team may be changing; you may be starting a new project, or taking on new funding.
Here are a few circumstances in which you may find an external code audit valuable:
You’re concerned your codebase isn’t good. More than any other factor, if you have any reason to be concerned about the quality of your codebase, that’s a good sign it’s time for an audit. This could be for myriad reasons: leadership cheaped out and went with an offshore programming team, you recently arrived at a new team and you’re concerned about their existing code, the bugs seem to be coming in faster than you can fix them... if you’re worried about your code, an external audit is your best next step.
You don’t have senior leadership able to assess your codebase. If there’s no one at your organization with the level of technical seniority necessary to understand what you’re doing right and wrong, it can often feel like you’re building your app in the dark. Many traditional leadership structures assume that somewhere there’s some brilliant nerd through whom all technical decisions filter—but in reality, many teams are comprised of a bunch of normal humans who are learning as they go.
You are at a turning point. When your organization is about to scale its user base, launch to a new and different audience, add a suite of new features, take on funding, increase the size of your team, or endure any other form of growth, it’s very common that the plans and decisions you’ll need to make require a deep understanding of the state of your code, its readiness for the future, and how much technical debt you’re carrying.
Your organization is changing internally. If you’re about to merge or have just merged, if your org chart is shifting around, if you’ve got a new CTO, or if there are any other organizational shifts that impact your dev team or the teams they interact, a code audit can help provide a shared organizational understanding of the state of the codebase. The results of an audit can help galvanize and unify your shifting team’s efforts moving forward.
You have security concerns. Security audits are an entity unto themselves, but if you are dealing with particularly sensitive user information, closing a funding round, or are just concerned about data and privacy in general, it’s not a bad idea to conduct a code audit with a specific focus on security.
Any situation where there will be organizational changes, new personnel, additional architecture, or increased scrutiny is the right time for a code audit.
The examples above are varied in their reason for needing a code audit, and likewise, they’re varied in what they require from a code audit. Each code audit should address a particular concern or set of concerns, driven by the specific stated needs of the organization requesting the audit.
This means the first step of an effective code audit is for your auditing team to work to understand your goals. Once the team understands your goals, they’ll dig into your codebase, your application, your logs, and your analytics, and possibly conduct interviews with stakeholders, devs, and users. They’ll take this information together and build a report which conveys some combination of analysis and recommendations.
Consider the following situations. The same type of code audit wouldn’t effectively meet every need. Instead, a tailored option provides a better, more insightful solution.
Situation one: You had an agency build an app because you don’t have an internal team to build one. In this case, your insight into the codebase will be limited. This can make it hard to assess your needs around maintaining your app moving forward.
The result: A code audit will shed light on the general quality and health of your code, and help you allocate programmers or hire accordingly.
Situation two: You have a lean team with a long-running app. Since the app has been in use for a long time, you aren’t sure how new features have been added over time, and your team has experienced turnover, resulting in a loss of institutional knowledge.
The result: A code audit will determine future points of failure to be aware of right now. It may also recommend refactors to make your code more consistent and future-friendly. Your smaller team can prioritize their work to shore up weak points immediately, before working on nice-to-have features.
Situation three: You have an extremely large codebase. Even with a robust internal team, there’s no bandwidth for an in-depth review that provides valuable information for both your development team and company leadership.
The result: An audit shows you a big picture view of quality, as well as granular issues that are a high priority. This means your team can get to work right away on the priority issues, and your leadership can receive an overall status report, both with an appropriate level of detail.
Beyond the situation, the outcomes of a code audit should also be customized to your team and their needs. A solo developer might be perfectly happy with a list of bullet-point observations and suggestions in an email. A venture-backed startup CTO charged with presenting a comprehensive report on the status of their software might want a streamlined, branded PDF to pass out to their board. And a non-profit that hired an agency to build their app might want an audit broken down into categories with a rubric for grading each category to get a comprehensive plan.
It’s nearly impossible for a developer to objectively scrutinize their own work. This isn’t because all developers are personally attached to the code they write—rather, because they’ve been exposed to the code for so long, it can be hard to work through it with a fresh perspective.
Plus, your developers likely don’t have the specific expertise and experience that comes with reviewing hundreds of different codebases on the regular. They may be highly skilled in coding—but that doesn’t always mean they are highly skilled code auditors.
Time and time again, we see the same issue when we conduct code audits: codebases that have been “future-proofed” with layers of code intended to set the application up for some future event, like a fundamental change in the database or framework used. This seems like a smart move to the team at the time, because it satisfies a big-picture business goal. But your internal team may not realize that goal for a decade, and expert auditors will identify if those extra layers of code are hurting your application’s performance in the present.
Some agencies that do code auditing also have a specific philosophy or way of working that is valuable for your team. If you run into problems because you’ve over-engineered all your features, working with an agency that believes code should be clean and simple could add a sorely missing perspective.
For example: Tighten’s way of working avoids over-abstracting and building architecture just for the sake of building architecture. We subscribe to the YAGNI philosophy: You Aren’t Gonna Need It. Our auditors are experts at seeing where something complex can be simplified, because simple code just works better over time.
To figure out if you need a code audit, write down what’s keeping you up at night about your project or application.
Next, ask yourself if you or your team can reliably address those concerns. Do you have the skillset? Do you have the right perspective? And most importantly, do you even have the time?
If you can’t enthusiastically say “yes” to all those questions, it’s best for your team, your application, and your peace of mind to have an external code auditor come in and poke around.
Whether you require a list of suggestions, a hefty technical analysis, or a branded PDF with an executive summary, having an expert set of eyes on your codebase is never a bad thing.