IT Audit: Better Prevent Than Cure. Technical Product Audit
Find the errors today in order to avoid problems in future.
Today we will dwell on one of the areas, namely, on technical product audit services.
WHAT IS THE RIGHT TIME FOR THE TECHNICAL PRODUCT AUDIT?
To come to the decision to check your product, you don’t have to wait until the users completely leave your app or website because of its user-unfriendly interface, numerous errors, data loss due to a hacker attack or the content that is presented in a wrong way.
The technical IT audit is recommended to be consulted about, in case:
- you plan to move to a new phase of product development, and want to check whether the previous phases have been implemented effectively;
- no application code review is practiced by a development team;
- a new team is involved in working on the project;
- the development team engages/engaged no testers.
In general, there are a lot of reasons for an audit (explicit and hidden), therefore, it is recommended to conduct checks anyway, to avoid any potential problems and difficulties.
WHAT DOES THE TECHNICAL IT AUDIT PROCEDURE COVER?
The technical IT audit services may be subdivided into three main parts:
- web or mobile application code review;
- server architecture review;
- system testing.
We suggest discussing every part in detail. We offer you an in-depth description of what exactly is checked during an audit, and what benefits you will get after your product has been checked from a technical standpoint, and you have followed the recommendations received.
Content, scope and period of an audit depend on the app volume, and on the exact plans for the future (i.e. the target focus):
- further development,
- app extension,
- modification, detection, and correction of bugs,
What are the benefits for you?
After the code has been reviewed, the identified bugs have been fixed, and the recommendations have been fulfilled:
- the application can be extended at minimum cost, and the current code base can be used longer (till the moment when it needs to be fundamentally changed);
- user data protection is guaranteed as the code review contributes to the security of web and mobile applications;
- If required, a new developer can quickly start working with the application: no need to waste time trying to understand the intricate code. In fact, things are put in order in advance.
What do we check?
- Code Style
We test reasonable and effective adherence to the best recommended coding practices. In simple words, it is vital for us that the code is easy to read, has a clear structure, is written in a uniform style and is self-documented.
- Code Architecture
This is a vital aspect, and if the code architecture is not thought out in advance, any app extension in the future will grow into a real challenge. Each new function will cost more and more until you face the need to re-write the app from scratch.
You can avoid such extra costs and prolong the code base life, if:
1) initially, you provide a flexible modular code architecture, and
2) periodically, you review the architecture and update / re-factor individual app modules/parts.
In this respect, we check the code against the following parameters:
- system components coupling: the less they are interconnected, the better (it is easier to exclude and replace any updated parts);
- configuration parameters: shall be defined separately;
- logic/code duplicate: this may complicate implementation of new features into the app (modifications have to be searched for and introduced in several places), and this may lead to costs increase (the modification is made in one place and forgotten to be made in some other);
- adherence to recommended practices of the language/framework used to create the app, and correct implementation of patterns;
- use of third-party solutions and libraries (may be outdated, partially used or non-optimal);
- structure of app files and directories: so that any developer can easily understand and quickly start with the project;
- code performance rate: whether server resources (memory, CPU time) or devices are adequately applied (for a mobile device battery consumption is critical);
- recording/logging of events/actions: whether the system-relevant facts are recorded;
- data structure.
- Application Security Code-Level Review
We check the user data security and vulnerabilities in the code. This covers:
- checking the code for significant accesses, private keys, and passwords: under the best practices, they should not be stored in the code, otherwise, anyone who accesses the code, gets all the accesses and keys;
- checking the code for vulnerabilities: (the risk of SQL injections, XSS, CSRF attacks, or, simply said, the risk that your data will be subject to attack);
- checking for identified vulnerabilities of the language/framework used to create the app;
- checking error processing and exceptions handling: the client should not see any server errors or their description in the app, etc.
- Code-Level Review of Critical and Basic Functions
We check the mechanisms of authentication, authorization, transmission, and processing of key information (for example, processing of cash transactions, etc.).
SERVER INFRASTRUCTURE REVIEW
What are the benefits for you?
After the server infrastructure has been checked, the weak points have been eliminated and the recommendations have been followed:
- usage of server resources is optimized: you pay for those functions only that are actually used (and this can result in substantial savings);
- system stability is enhanced: the app operates smoothly 24/7;
- the system is ready for increased loads if any. You can securely increase the pace of your business.
What do we check?
- Server Monitoring Reviews
We check, in what way we are notified of any server crash and how quickly (within 30 seconds or an hour).
- access to system folders and files on the server: you should admit, that there is nothing exciting in case the user's downloads have no access restrictions;
- production environment passwords: checked for being strong;
We do not consider the password secure if it includes 4 characters only. At least, the passwords shall consist of 24 characters, including special ones.
- open ports on servers;
- what rights are granted and to whom.
- Services Used
We check whether the way they solve the tasks set is adequate to their price.
We check whether it is set up or not. If not, the risk is high to lose the data.
We check whether the infrastructure is capable of withstanding load increase. We check in details, what happens in case 10 times more users enter the app.
The technical product audit also cover system testing. What does it mean? The product is fully tested for any errors, vulnerabilities and/or faults.
What are the benefits for you?
After the system testing is complete, the errors and vulnerabilities detected are eliminated and the recommendations are fulfilled:
- the product grows more attractive for the users;
- the number of users increases due to appropriate search engine optimization (SEO). Product awareness grows. And, accordingly, your profit grows too.
What do we check?
At this stage the app functions are black-box tested, this means we know what the app shall do, and check the way it functions without looking “inside” of the product (act as users).
From this point of view, the product is checked throughout all stages of testing. The final report lists UI / UX errors (prioritized in order to initially indicate whether they are critical or not) and recommendations for improvement (move the menu, change the color of the button, etc.). The following parameters are reviewed:
- optimized and correct app display with all supported devices and browsers;
- for web application the front end (HTML/CSS и JS код) is checked, since it sufficiently influences ranking of app pages (in other words, critical for search engines) and user satisfaction (in fact, this is what the users see and interact with, and either they like it or not);
- general app structure: whether it is easy to navigate through pages/screens, in what way the content of pages/screens is arranged.
- Search Engine Optimization (SEO)
We check for compliance with all rules for SEO practices implementation.
Based on the study conducted by Search Engine Journal (involving specialists whose professional activity is related to search engine optimization), 77% of respondents believe that companies need to conduct a SEO audit every six months.
Since SEO plays one of the key roles in popularity of any web app and / or website (increasing conversion), very often there is a need to conduct a separate SEO audit. And this is quite reasonable, and most importantly, doable.
Need an audit or have any questions? Ask us - we’ll help you!
SEO audit is conducted against a special checklist, which covers basic items affecting the promotion of the app/website in search engines (tags, canonical links, website map, image quality, easy navigation, clear code, etc.).
As a result of this separate audit, in addition to comments related to the checklist, recommendations for improvements are made in terms of search engine optimization (it is recommended to start a blog, identify a target audience and introduce appropriate changes, etc.). All results are recorded in a separate report in any form convenient for all intended recipients.
System Testing Procedure
1. The first stage is smoke testing (a minimum check of basic functions to identify obvious errors). This is a way to get familiar with the app and its logic. Cases are started to be developed for more complex testing.
2. Testing is carried out at the deeper level: here we review complex interrelations between system components. They are evaluated and analyzed based on existing experience and knowledge. If there are certain requirements for the functions, the app compliance with such requirements is checked.
3. Tests are run against checklists (for all items indicated above). At this stage, the exact testing scope and direction depend on what is identified in the previous stages and what app problems the testers have already faced.
At this stage, load testing is also carried out: load testing under expected loads and/or stress testing under extreme loads.
4. As the information is collected on all types of testing, a report is drawn up to specify all the results and relevant recommendations.
Report form: any (as agreed by the contractor and the client). The main criterion is that the report should have simple and easy to read form.
WHAT DO YOU GET AS A RESULT OF THE TECHNICAL PRODUCT AUDIT?
- You are provided with an audit report, specifying all detected errors and vulnerabilities. Simultaneously, we indicate the priority level of such errors: critical, require attention or undesirable.
- The report also covers recommendations (to improve the code, to optimize the server architecture, to improve UI / UX or SEO parameters, etc.).
If you have any interest in this topic and want to get more information - contact Umbrella IT right now.
And you are welcome to follow new publications on our blog - we will continue writing on various IT audit types. Probably, this is what your business needs now to improve efficiency and get rid of unnecessary problems. We’ll tell you what to do!