Software Audits are reviews of the software product, software source code, or one or more processes, including software development, quality and testing, maintenance and support.  Some audits are built into the SDLC process and are conducted by company employees.  Others are more formal and conducted by external organizations on behave of customers or external certification organizations.  An audit can consist of manual and automated source code reviews, manual and automated testing of the actual product, reviews of logs and meeting notes and interviews with team members.  In most instances, the audit results in passing grade, but with identified exceptions.  These exceptions typically need to be address immediately, within a rather short time or before the next schedule audit.

Common types of audits include:

• Security and vulnerability Audits – designed to validate the product is suitably secure and can withstand specific attacks.  The audit process typically involves validating that proper engineering processes were followed, that selected critical modules are defect free, that appropriate and/or required algorithms are used and that the software product can withstand various forms of simulated or real attacks.  Many software tools exist to aid with security and vulnerability audits.
• Performance audits – designed to validate that the product performs as required.  These audits typically consists of a series of proscribed performance tests and selected source code reviews to validate proper algorithms are used and common performance related software mistakes are not present.  For those applications that support a very large number of uses, it is often not practical to reproduce such a large environment for testing purposes.  In such cases, simulations are created or results need to be extrapolated from small configurations to the anticipated large configurations – a process that isn’t necessarily very predictive.
• Compliance audits – these audits are designed to validate that the product conforms to some specific set of published standards.  They are typically conducted periodically by external audit agencies.  Often times, the standards change from audit to audit and the software and processes may need to be modified accordingly.  The nature of these audits are highly dependent upon the published standards, but often includes at least a document review and interviews of selected team members. The auditing team may use common or custom made software tools to aid in the audit process.
• 3^rdparty software audits – these are designed to identify the existence of all instances of 3^rd party software code (Open Source and propriety software) that may be contained in the product.  Much of this activity is automated.  The earlier 3^rd party software is identified the more options an organization has and the lower the financial risk.

During an acquisition, many of the above audits are conducted on key products as part of due diligence.

For more information:

• Vericode provides vulnerability tools and services
• Percona offers a Performance Audit service for a popular Software Database (MySQL)