The Tech Doctor: How to Perform a Code Audit
- ArganoUV Culture
Part and parcel of the consultancy game is performing code audits. Here at ArganoUV, we like to think of it as a tech health check – we’re the doctors dressed in white, equipped with our otoscopes, stethoscopes, reflex hammers, and instrument sterilizer.
There are many projects – those that we build from scratch – in which we run comprehensive code audits after mapping out a strategy to carry it out. Then there are projects where we inherit legacy code, for example when we’re building on top of previous sites.
“The idea is to have visibility of the quality of the project and discover any potential bugs, security breaches, performance or scalability issues, development standards and best practices,” said ArganoUV tech lead Marco Perez. “Practically the audit is the ‘certification’ that the system meets the expected quality to avoid potential issues.”
After many a’year building and carrying them out, our audit process is a solid and standard part of what we do. And because we take full responsibility for what we build, we look seriously at the architecture from the foundations to the antenna (so to speak).
“The time needed for the audit is defined by multiple variables,” added Marco, “such as the size of the project, amount of people involved in the project, and the scope of the audit, ranging from the output of the audit and modules of the project to constructing a checklist for consistency.”
Yet for everything there is an average. And for most projects of ArganoUV, a code audit generally takes between 1-2 weeks to complete.
As hinted at above, before we dive deep into the tech architecture, we first need to understand what we’re dealing with – because we know the dangers of deep diving spontaneously, without having mapped out the terrain and potential pitfalls (sorry for switching up the metaphors). This is particularly true for clients with complex websites, whether they’re hosted on the popular yet limited CMS WordPress or the elite and substantially-powerful ecommerce platform Salesforce Commerce Cloud – the latter of which is essentially one of our best power tools.
The ArganoUV way is to “have a checklist of what to include in the audits and tools to use based on the technologies for automated audits,” added Marco, “as well as structured formats to present the results of the findings. In addition, we profile our software engineers to know who is the best fit to complete the audit.”
Once we’ve vetted who will take on the auditing, “they can include a group of engineers as well,” said Marco, “they could be members of the development team or external members. Usually the participants (if they’re members of the development team) are a representative sample of the whole development team – just a couple members – that will be able to provide details of the work done and the process used.”
So with this in mind, we’d like to give you code nuts a sneaky peek into how to perform a quality code audit.
Step one: Meet and fix needs
Always the most important step, we start out by meeting you and mapping out the core company aims that we’re going to help you out with. We document the ensuing process that is agreed upon and reach out to maintain continual communication.
Step two: check the architecture
Then we carry out a comprehensive review of the project’s code, documenting each of its parts, like certificates, data planes, the front-end parts and back-end parts. Here is where my health practitioner metaphor comes into play – getting insights into the general health of the code, and the level of its functionality.
The code in the front-end sections focus on the speed in which images and files are loaded, and that the site is displayed optimally across different devices. Meanwhile the back-end sections focus on the interconnections between the moving parts of a site or app, and conclude whether it fits with a standard code structure or whether it’s entangled itself into a complete mess.
We test each component in the project with a set of static analysis tools. We check for code duplication, security problems, cyclomatic complexity, and other issues. The toolset depends on the code’s programming languages. Some tool examples are CodeClimate, Pylint, CSSLint, RailsBestPractices, Reek, Rubocop, and ESLint.
Step three: Get our hands dirty
We work with machines but we’re not drones. We know that despite the ever-expanding powers and complexities of technology, the human touch is still an important part of the process.
More specifically, a manual inspection is taken out to analyze the code by our veteren software developers to come to conclusions based on high-level expertise regarding test converge, structure of data, and the design of data.
Step four: the data archive
On projects that we have not built from scratch, we focus on the data archive to find out the processes that were followed in order to build the currently existing code architecture – everything from what the language is and how it is currently performing to testing for security issues.
Step five: the action items
The final step is to come up with action items to recommend to clients before taking over any project that already has a built architecture.
This is, of course, a very general outline of how ArganoUV carries out code audits. But if you want to get into the finer details of our ways of the digital world, get in touch with us and we’d be happy to share some stuff. We’ll even provide the coffee… or Zoom invitation link.
PS: ArganoUV is one of the world’s leading Salesforce Commerce Cloud (Demandware) integrators. Contact us to see how we can work together.