Software

How We Review and Audit Software

February 18, 2025 • Frank Valcarcel
Software engineer reviewing code during a code audit, analyzing source code on a monitor alongside documentation in a modern office environment.

You've inherited a codebase from a previous vendor. Or maybe your internal team built something years ago, and now nobody remembers why certain decisions were made. Perhaps you're about to acquire a company and need to know what you're getting into. Whatever brought you here, you're asking the right question: What's actually in this code?

At Cuttlesoft, we've reviewed codebases ranging from scrappy MVPs to enterprise systems handling millions of transactions. Here's how we approach software audits, and what you can expect when you work with us.

What We Look For

A thorough code audit goes beyond running a scanner and generating a report. We evaluate your software across multiple dimensions:

Security

Security vulnerabilities don't announce themselves. We look for the OWASP Top 10 (SQL injection, cross-site scripting, broken authentication), but we also dig into your specific context. Are API keys hardcoded? Is sensitive data properly encrypted at rest and in transit? Do your dependencies have known vulnerabilities? Are old developer credentials still lingering in configuration files?

Upgrade axios@0.27.2 to axios@1.12.0 to fix
Allocation of Resources Without Throttling [Medium Severity] in axios@0.27.2
    introduced by axios@0.27.2
Server-side Request Forgery (SSRF) [Medium Severity] in axios@0.27.2
    introduced by axios@0.27.2
Server-side Request Forgery (SSRF) [Medium Severity] in axios@0.27.2
    introduced by axios@0.27.2
Regular Expression Denial of Service (ReDoS) [Medium Severity] in axios@0.27.2
    introduced by axios@0.27.2
Cross-site Request Forgery (CSRF) [High Severity] in axios@0.27.2
    introduced by axios@0.27.2

Upgrade lodash@4.17.21 to lodash@4.17.23 to fix
Prototype Pollution (new) [Medium Severity] in lodash@4.17.21
    introduced by lodash@4.17.21 and 2 other path(s)

We've caught everything from unvalidated user input to authentication bypasses hiding in legacy endpoints nobody remembered existed.

Architecture and Scalability

Code that works today might collapse under tomorrow's load. We assess whether your architecture can handle growth: Are database queries optimized, or are there raw SQL queries that bypass your ORM's protections? Will your current design scale horizontally if needed? Are there bottlenecks waiting to emerge, like partials taking 28 seconds to render?

Beyond performance, we evaluate whether the architecture makes sense for your business. Sometimes the "right" technical decision isn't the best business decision, and vice versa.

Code Design and Organization

We examine how your codebase is structured. Are components properly separated? Is business logic buried in controllers where it's hard to test? Are stylesheets organized with consistent breakpoints and variables, or scattered across files with hardcoded values? We look for patterns that will make future development easier or harder.

Code Quality and Consistency

Technical debt accumulates silently. We examine naming conventions, documentation (or lack of it), and whether the codebase follows its own patterns consistently. Can a new developer understand this code in a reasonable timeframe? Would linting catch issues that are currently slipping through?

We also look at the build and deployment pipeline. Consistent, automated processes reduce the risk of human error and make your team more productive.

Dependencies and Risk

Modern applications rely heavily on third-party libraries. We audit your dependency tree for known vulnerabilities, abandoned packages, and licensing issues. That unmaintained library pinned to a four-year-old version? It might be fine, or it might be a ticking time bomb.

We run full security audits and document every vulnerability, categorized by severity, along with specific remediation paths. If you're running Rails 5.0.2 from 2017 when 7.x is available, we'll tell you exactly what you're missing and what the upgrade path looks like.

Testing and Coverage

We assess your test suite's health. Are there tests at all? When were they last updated? Do you have the right mix of unit, integration, and end-to-end tests? We'll identify gaps and recommend testing strategies that fit your team's workflow, whether that's RSpec for Rails, Vitest for React, or Playwright for end-to-end coverage.

Compliance

Depending on your industry, regulatory requirements may dictate how you handle data. Healthcare applications need HIPAA compliance. Financial services face PCI DSS and SOC 2 requirements. GDPR applies if you have European users. We review your codebase against the relevant standards for your business and flag gaps that could become liabilities.

For more on handling sensitive data, see our guide on data pseudonymization in Django, which covers techniques that can help satisfy regulatory requirements while maintaining data utility.

Our Process

We don't believe in black-box audits where we disappear for weeks and return with an impenetrable PDF. Our process is collaborative and transparent.

Discovery

Every audit starts with a conversation. What are you trying to accomplish? Are you preparing for a funding round? Evaluating an acquisition target? Investigating why production keeps catching fire? Understanding your goals shapes what we prioritize.

We'll discuss the system's history, known pain points, and any areas of particular concern. You know your business better than we do, and that context is invaluable.

Access and Environment Setup

We'll need access to your source code repository (typically via temporary Git access or an encrypted snapshot). Depending on scope, we may also need access to documentation, architecture diagrams, and a test environment where we can safely poke around without affecting production.

We handle your code with the same care we'd want for our own. NDAs are standard, and we're happy to accommodate any security requirements your organization has.

Analysis

Our review combines automated scanning with manual inspection by senior engineers. Automated tools catch the obvious stuff: known CVEs, code smell patterns, and formatting issues. But the nuanced problems require human judgment.

We trace data flows through your application. We question architectural decisions. We look for the things that scanners miss: business logic flaws, race conditions, assumptions that made sense three years ago but don't anymore.

For dependency analysis, we don't just flag outdated packages. We document the current version, the latest stable version, known breaking changes, and specific vulnerabilities with links to advisories.

Interim Check-ins

For larger audits, we schedule brief check-ins as we progress. If we find something critical, you'll know immediately, not weeks later in a final report. These conversations also let us ask clarifying questions and adjust focus if needed.

Deliverables

You'll receive a comprehensive report organized by category:

  • General Code Design and Organization: File structure assessment, component separation, routing patterns, and architectural recommendations
  • General Code Quality: Code style consistency, linting recommendations, and specific refactoring opportunities
  • Dependencies and Third-Party Integrations: Package-by-package breakdown with current versions, recommended versions, breaking changes, and vulnerability details
  • Security Audit: Full vulnerability scan with severity ratings (Critical, High, Moderate) and remediation paths
  • Logging, Exception Handling, and Error Tracing: Assessment of observability and recommendations for monitoring tools
  • Documentation: README quality, environment setup clarity, and knowledge gaps
  • Testing and Coverage: Current test state, coverage gaps, and recommended testing strategy
  • Configuration and DevOps: Environment configuration, deployment pipeline, and CI/CD recommendations
  • Performance: Specific bottlenecks identified with profiling data where applicable

Each finding includes context, evidence, and specific recommendations. We explain the why, not just the what.

When You Need an Audit

Some scenarios where a code audit makes sense:

  • Vendor transition: Taking over a codebase from another development team
  • Due diligence: Evaluating software as part of an acquisition or investment
  • Pre-launch review: Ensuring a new application is production-ready
  • Post-incident analysis: Understanding what went wrong after a breach or outage
  • Compliance preparation: Getting ready for SOC 2, HIPAA, or other certification
  • Technical debt assessment: Quantifying the cost of accumulated shortcuts

If you're dealing with fintech software, regulatory requirements add another layer of complexity. Our guide to fintech regulations covers the landscape US startups face.

What Happens After the Audit

We're not a body shop that throws junior developers at audits. Our reviews are conducted by senior engineers who've built and maintained production systems themselves. The same team handles our web development, mobile development, and SaaS development projects. They understand that code exists in a business context, not a vacuum.

An audit should be the beginning of a conversation, not the end. If you want help implementing our recommendations, whether that's a Django upgrade, React refactoring, or Rails modernization, we can do that. If you want to hand the report to your internal team and run with it, that's fine too. Our goal is to give you the information you need to make good decisions.

Ready for a Second Opinion?

Whether you're inheriting code, acquiring a company, or just want an honest assessment of where your software stands, we can help. Get in touch to discuss your situation. No pressure, no sales pitch, just a conversation about what you're dealing with and how we might help.

Related Posts

A dramatic upward view of modern skyscrapers against a misty sky, symbolizing the scale and complexity of enterprise software development. The towering buildings with their structured grid patterns of windows and lights mirror the interconnected, multi-layered nature of enterprise systems. The fog partially obscuring the tops of the buildings suggests the challenges and complexities unique to enterprise-scale software projects. This architectural perspective reflects how enterprise development requires careful planning, robust architecture, and consideration of scale - key themes in Cuttlesoft's approach to building enterprise solutions.
August 18, 2024 • Frank Valcarcel

What makes Enterprise Software Development Different?

Enterprise software powers large organizations, handling complex tasks across departments. From robust security to scalability, these solutions face unique challenges. Explore what makes software “enterprise-ready” and how to choose the right development approach for your business.

Frank Valcarcel speaking at Denver Startup Week 2018 on healthcare technology and HIPAA compliance, highlighting the digital revolution in healthcare IT
October 5, 2018 • Frank Valcarcel

Scaling Healthcare Technologies at DSW 2018

Discover the transformative journey of healthcare technology at Denver Startup Week 2018 with Frank . Dive into the world of healthcare software, product management, and the critical balance between innovation and HIPAA compliance.