IT services and applications require third-party audits as a checkpoint to validate their security, performance and operational parameters. So, has your app been audited by a neutral third party yet? If you have an audit coming up, it’s best to go into it well prepared.
What can you expect during an app audit?
Third party auditing firms generally begin by asking a set of questions, then review documentation and source code, and study the project’s issue tracker. Once this is done, there’s a good chance that a second round of review questions may need to be asked.
The questions asked are usually focused on improving understanding of the software and its architecture, and the process used to build the software.
Here are the areas that an application audit process usually covers, and the questions you are likely to be asked during the process.
This relates to the development and release process used while building the application. Questions you may be asked include:
- What development process was followed — was it Scrum, Agile, or an ad-hoc process?
- What were the code review practices used?
- What was the application release process followed?
- What were the development, testing and production environments used?
This relates to third-party software or systems used. Likely questions include:
- List out the third-party software or systems that have been used in the application
- How do these systems interface with the application?
The audit team is likely to assess the competencies of the staff against the needs of the audit.
- List the names and roles of the team members, stakeholders, and development team
- How many man hours per week for each development team member is allocated to this project?
4. Technical Design
The Technical Design Document (TDD) for the application is studied here, based on which specific queries are raised.
Here are some of the more general questions to be prepared for, while other questions would be specific to your application:
- Can you provide a high-level enumeration and description of the entities in your schema and services architecture?
- Is there a source code repository that holds SQL scripts?
Issues related to application architecture are addressed to identify complexity and risks. Some questions you should expect include:
- Are there any parts of the application that have highly complex architecture?
- What are the storage systems and indexing solutions in use?
- Is there any communication or integration with other in-house systems?
Here, automation in the testing process, and the QA environment used, are the main focus. Likely questions include:
- What are the testing processes and tools used?
- Is automated testing in use?
This relates to the deployment of the application, back-ups, monitoring and so on. Here are some questions that may be raised:
- How are deployments performed?
- What backups are created and maintained, and where?
- What kind of monitoring and reporting setup has been configured?
- How will new versions or upgrades be deployed?
- Has a deployment architecture diagram been prepared?
- What type of maintenance is expected after deployment?
The scalability of the application in order to effectively serve its purpose for its users is examined here. Likely questions include:
- Are there any known performance or scalability concerns?
- What is the size of the target audience or audiences?
- What usage volume and data volumes have been tested to-date?
- How much “headroom” does the deployment environment have given target data and usage volumes?
Data security, privacy and protection from cyberattacks are key to any technology product. Some questions you can expect:
- Does your application integrate with the enterprise identity and access management solution?
- What password policies, in terms of password strength, expiration, reuse and frequency of change, are in place?
- Is password transmission and storage encrypted and unviewable?
- What functionality is available for remote access and support?
- Does the application encrypt data before sending it over the open network? What encryption standard is used?
- What additional security controls are available to mitigate the risk of malware and malicious code?
- Have application security controls been tested by a third party?
An audit is an important rite of passage for a new application, and having an app that checks most if not all the boxes can be a major weight off your shoulders! At CloudNow, we follow industry-best processes, leading tech stacks and the best tools on offer, not to mention we have experienced and cleared numerous audits of our customers’ applications. So talk to us today to see how we can help you build your app the right way, and sail through the audit process.