this post was submitted on 16 May 2024
41 points (93.6% liked)

Programming

17666 readers
371 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
 

I need to help auditing a project from another team.
I got the pointers on what's expected to be checked, but I don't have like templates for documents for what's expected from an audit report which also means I'm not sure what's the usual process to conduct an internal audit.
I mean I might as well read the whole repo, but maybe that's too much?

Any help or pointers on what I need to investigate to get started would be great!

all 13 comments
sorted by: hot top controversial new old
[–] [email protected] 31 points 7 months ago

Whoever asked for the audit should have told you what they were trying to find out. If not, ask them.

[–] [email protected] 25 points 7 months ago (1 children)

I won’t lie, I’m a bit curious why someone asked someone who has never performed an audit to perform one, what they’re actually hoping to find, and what they plan on doing with the results…

[–] coloredgrayscale 11 points 7 months ago (1 children)

Maybe they see OP as the best candidate for an audit or code review, who has good enough skills, has time available, and is an internal resource

[–] [email protected] 7 points 7 months ago

I’m just having trouble calling that an “audit”.

[–] [email protected] 16 points 7 months ago (1 children)

For what purposes are you auditing this software. Auditing is always done to prove something is appropriate for some usage and what that audit should involve depends on that usage and, additionally, factors of trust between you and the author.

Would you be comfortable supplying some additional information about what you (or whoever asked you to run the audit) expects out of the audit.

[–] [email protected] 3 points 7 months ago (2 children)

It's regarding appropriate handling of user information.
I'm not sure it includes PII. Basically it's a ticketing system.
The pointers I got are: the software is secure and reliable to store the data and be able to be queried to understand the updates the data had.

[–] [email protected] 7 points 7 months ago

Is this related to highly sensitive PII (like hippa or whatever covers local health-care record treatment)? If so, I'd strongly suggest not doing anything and seeking a remedy from contractual obligations by the vendor (i.e. seek HIPPA Ready software or a vendor willing to make that promise).

If not, you'll definitely want to focus on data persistence and transmission.

Make sure there aren't outgoing network calls to fixed locations (if they're for error reporting to the vendor you can either ask if they can disable the reporting, black hole the reporting with network configuration or carefully inspect the way data gets to that reporting and ensure user data can't be captured - a common oversight being logging function parameters).

Make sure the persistence is secure by looking at the main persistence module (i.e. a database or flat file) to make sure unnecessary information isn't being stored, verification only information is being written to persistence through one way hashes, and data that should be two-way encrypted is. Then double check the same stuff with regards to secondary persistence methods - again a huge issue here is logging.

Those two points are where I'd suggest focusing the majority of your effort but, back to the hippa part, make sure you're comfortable doing this. It's pretty easy for auditors to be the fall guys if something goes wrong so if you want to be careful one approach is to carefully document what you've checked for and how you checked for them then get someone above you to sign off that your level of auditing was sufficient - if shit ever does hit the fan you'll be less exposed.

[–] [email protected] 6 points 7 months ago

Ah, an auditability audit.

[–] [email protected] 8 points 7 months ago

Insufficient data.

I’ve worked in military industrial (FAA + DoD oversight), global scale VOD infrastructure (mostly due diligence and technical soundness), and biotech (FDA oversight). “Auditing” means wildly different things in different contexts.

[–] [email protected] 4 points 7 months ago

Maybe the word "audit" is incorrect? If they didn't provide you any guidelines, I'd definitely recommend asking. But it's possible they're just looking for your perspective on best practices and possible improvement ideas, more like a general code review.

[–] Kissaki 1 points 7 months ago

Ironic that you don't share the pointers on what's expected to be checked with us.