IT Audit: Better Prevent Than Cure. Technical Product Audit

IT Audit: Better Prevent Than Cure. Technical Product Audit

Umbrella IT
  1. Code Review
  2. Server Infrastructure Review
  3. System Testing

The COVID-19 outbreak has already caused much chaos resulting in newly found vulnerabilities, unexpected overloads, increased cybercriminal attacks, etc.

The software product audit means one step closer to the reliable and safe functioning of IT products and systems. 

There is no need to wait until the users completely leave your app or website because of numerous errors, data loss due to a hacker attack, user-unfriendly interface or the wrong way of the content presentation before you come to the decision to check your product. 

In general, the reasons for technical audit (either explicit or hidden) may vary. It’s recommended in case:

  • a new phase of product development is planned, and you want to make sure that the previous phases have been implemented effectively;
  • no application code review is practiced by a development team;
  • a new team is involved in working on the project;
  • no testers are engaged in the development team;
  • the user churn is increasing;
  • the application has low ratings in stores.

IT Audit Service in Umbrella IT

The technical IT audit procedure covers three key areas.

1. Code Review

What are the benefits for you?

After the code is reviewed using appropriate code audit tools, the identified bugs fixed, and the recommendations fulfilled:

  • the application can be extended at minimum cost, and the existing codebase can be used long-term (until some fundamental changes are required);
  • user data protection is guaranteed as the code review contributes to the security of web and mobile applications;
  • If required, a new developer can quickly start working with the application: no need to waste time trying to understand the intricate code. In fact, things are put in order in advance.

What do we check?

1. Code Style

We test reasonable and effective adherence to the best recommended coding practices. In simple words, it is vital for us that the code is easy to read, has a clear structure, is written in a uniform style and is self-documented.

2. Code Architecture

The aspect is no less significant and if the code architecture is not thought out in advance, any app extension in the future may grow into a real challenge. Every new function will bring more costs until you face the need to re-write the app from scratch.

You can avoid such extra costs and prolong the code base life, if:

1) initially, you provide a flexible modular code architecture, and

2) periodically, you review the architecture and update / re-factor individual app modules/parts.

In this respect, we check the code against the following parameters:

  • system components interconnection: the less they are interdependent, the better, and namely, easier to exclude and replace any updated parts;
  • configuration parameters: shall be compiled separately;
  • duplicate logic/code: may complicate new features introduction: modifications have to be searched for and implemented in several places which may lead to costs increase;
  • adherence to recommended practices applied to the language/framework used to create the app, and proper patterns implementation;
  • third-party solutions and libraries: to avoid outdated, partially used or suboptimal ones;
  • structure of app files and directories: for any developer to easily understand and quickly start with the project;
  • code performance rate: to check whether server resources (memory, CPU time) or devices are adequately applied (thus, consumption is crucial for a mobile device battery);
  • recording/logging of events/actions: to check whether the system-relevant facts are recorded;
  • data structure.
3. Application Security Code-Level Review

We review the code for any eventual vulnerabilities and threats to the user data security, including checking:

  • significant accesses, private keys, and passwords: under the best practices, they should not be stored in the code, otherwise anyone who accesses the code, gets all the accesses and keys;
  • vulnerabilities: the risk of SQL injections, XSS, CSRF attacks, or, simply said, the risk that your data will be subject to attack;
  • known vulnerabilities of the language/framework used to create the app;
  • error processing and exception handling: no server errors or their description in the app shall be visible to the user, etc.

4. Code-Level Review of Critical and Basic Functions

We check the mechanisms for authentication, authorization, transmission, and processing of key information (for example, processing of cash transactions, etc.).

2. Server Infrastructure Review

What are the benefits for you?

After the server infrastructure is checked, the weak points eliminated and the recommendations followed:

  • usage of server resources is optimized: you pay for those functions only that are actually used (and this can result in substantial savings);
  • system stability is enhanced: the app operates smoothly 24/7;
  • the system is ready for increased loads if any. You can securely increase the pace of your business.

What do we check?

1. Server Monitoring Reviews

We check server crash notifications and their rate (whether within 30 seconds or an hour).

2. Safety
  • access to system folders and files on the server: you should admit, that there is nothing exciting in case the user's downloads have no access restrictions;
  • open ports on servers;
  • what rights are granted and to whom;
  • production environment passwords: checked for being strong;

For example:

We do not consider the password secure if it includes 4 characters only. At least, the passwords shall consist of 24 characters, including special ones.

3. Tools Used

We check whether the way they solve the tasks set is adequate as compared to their price.

4. Backup

We check whether it is set up or not. If not, the risk is high to lose the data.

5. Scalability

We check whether the infrastructure is capable of withstanding load increase. For instance, we check-in details, what happens in case 10 times more users enter the app.

3. System Testing

The information technology audit process also covers system testing. What does it mean? The product is subject to complete testing for any errors, vulnerabilities and / or faults.

What are the benefits for you?

After the IT system audit is complete, the detected errors and vulnerabilities are eliminated and the recommendations are fulfilled:

  • the product grows more attractive for the users;
  • the number of users increases due to appropriate search engine optimization (SEO). Product awareness grows. And, accordingly, your profit increases as well.

What do we check?

1. Functions

At this stage the app functions are black-box tested, this means we know what the app shall do, and check the way it functions without looking “inside” of the product (act as users).

2. UI/UX

From this point of view, the product is checked throughout all stages of testing. The final report lists UI/UX errors (prioritized to indicate whether they are critical or not) and recommendations for improvement (move the menu, change the color of the button, etc.). The following parameters are reviewed:

  • optimized and correct app display with all supported devices and browsers;
  • for web application the front end (HTML/CSS and JS code) is checked since it sufficiently influences the ranking of app pages (in other words, critical for search engines) and user satisfaction (in fact, this is what the users see and interact with, and either they like it or not);
  • general app structure: whether it is easy to navigate through pages/screens, in what way the content of pages/screens is arranged.
3. Search Engine Optimization (SEO)

We check for compliance with all rules for SEO practices implementation.

Based on the study conducted by Search Engine Journal (involving specialists whose professional activity is related to search engine optimization), 77% of respondents believe that companies need to conduct a SEO audit every six months.

Since SEO plays one of the key roles in the popularity of any web app and/or website (increasing conversion), a separate SEO audit is often required. And this is quite reasonable, and which is more important, doable.

SEO audit is conducted against a special checklist, which covers basic items affecting the promotion of the app/website in search engines (tags, canonical links, website map, image quality, easy navigation, clear code, etc.).

As a result of this separate audit, in addition to comments related to the checklist, recommendations for improvements are made in terms of search engine optimization (it is recommended to start a blog, identify a target audience and introduce appropriate changes, etc.). All results are recorded in a separate report in any form convenient for all intended recipients.

System Testing Procedure

1. The first stage is smoke testing (a minimum check of basic functions to identify obvious errors). This is a way to get familiar with the app and its logic. Cases are started to be developed for more complex testing.

2. Testing is carried out at the deeper level: here we review complex interrelations between system components. They are evaluated and analyzed based on existing experience and knowledge. If there are certain requirements for the functions, the app compliance with such requirements is checked.

3. Tests are run against information technology audit checklists (for all items indicated above). At this stage, the exact testing scope and direction depend on what is identified at the previous stages and what app problems the testers have already faced.

At this stage, load testing is also carried out: load testing under expected loads and / or stress testing under extreme loads.

4. As the information is collected on all types of testing, a report is drawn up to specify all the results and relevant recommendations.

Report form: any (as agreed by the contractor and the client). The main criterion is that the report should have simple and easy to read form.

What do you get as a result of the technical product audit?

  • You are provided with an audit report, specifying all detected errors and vulnerabilities. Simultaneously, we indicate the priority level of such errors: critical, require attention or undesirable.
  • The report also covers recommendations (to improve the code, to optimize the server architecture, to improve UI / UX or SEO parameters, etc.).

More info on our service you find on our IT Audit page.

You are welcome to follow publications on our blog where we speak on various IT audit services in Umbrella IT.  Probably, this is what your business needs now to improve efficiency and get rid of avoidable problems.