Aug 30, 2023
Warning to Software Companies: Audit Your Software
In one software audit a few months ago I worked with a small business here in Australia that hired software developers from a developing country. Within the first three hours of my analysis of the codebase I noticed I lacked the majority of the code necessary to execute the application. Not only that, I uncovered that the software developers hosted a significant part of the code on the internet, visible and accessible to the public. This decision is extremely poor practice and whether malice intent, incompetence, an honest mistake or just laziness, it breached the trust of the owner of the company.
This situation left my client both happy and upset. Happy that they found a software auditor like myself that discovered and informed them of a serious issue with the code. Upset that the software developer overseas that they hired with a Freelance Platform failed to provide all the source code, as promised in the original agreement.
In the end it all worked out, I worked with the client to discuss the situation with the software developer and retrieve all the source code necessary to execute and maintain the application. I am still unaware if the developer failed to hand over all the code with malice intent or they made an honest mistake. I perform software audits, not criminal investigations. However, it serves as an excellent warning to anyone that utilises platforms such as Upwork, Freelancer or any other similar platforms.
Warning: Hire an external software auditor to check deliverables if you lack the time or competence to double check the software yourself.
As an auditor, I work with several companies run by people without software expertise, instead they hire individuals or companies here in Australia or overseas to perform the work for them. A totally fine solution, however, it also means that they must possess a lot of trust with the software developers they hire. I call one notorious problem I see software developers perform: Software F*** You Insurance.
I call it this because to ensure job security a software developer with purposeful intent, fails to deliver all of the source code necessary to execute the application. In some cases it seems as though they deliver all of the code but as per the story I discussed above, an inspection by a qualified software engineer like myself easily discovers the problem. The software developer fails to deliver all the code as job security so that if one day a company wants to hire someone else for the project instead of them they left out enough of the code to make it almost impossible, which forces a company to continue to pay the original developer.
Software developers might also cause other problems such as:
- Inject malice code to steal or sell information from the application.
- Deliver unreadable code that means another software developer lacks the ability to maintain or add to the application.
- Fail to follow best practices that cause vulnerabilities that hackers exploit.
As per the situation for my client they scrambled for options to retrieve all the source code. They considered legal options but remembered that the software developer lived outside of their legal jurisdiction in a developing country, a whole another can of worms that deserves its own blog post.
I attempted to diffuse the situation and instead I suggested that we approach the software developer without accusations and ask for all of the source code, if that fails then consider other options such as to report the issue to the Freelance Platform. Luckily in this case my client received all of the source code and learnt an important lesson.
For anyone out there that hires software developers and stumbled upon my article I highly recommend to hire a qualified and reputable software auditor to check the code that another software developer delivers to ensure its quality, standard, integrity, authenticity, and much more.
Never, ever, ever, ever ever ever ever ask someone within the same organisation to audit a software program. They possess biases, inside information, fear to receive repercussions, and many other issues. If a company desires a stringent, honest, and unbiased review I suggest to hire an external software auditor with a well regarded reputation.
Remember, an auditor will receive a copy of the codebase, they will understand the inner workings of a software program. Therefore, a company must search for a reputable and trustworthy auditor. I also highly recommend to hire an auditor within the same legal jurisdiction of a company in case the auditor breaches any laws. To hire someone from another country and jurisdiction will only cause future problems if something goes wrong, stay safe and local.
One other recommendation I say to all my clients: get a second opinion. Just like with a medical issue, a second opinion provides another perspective from a qualified professional. The same with software auditors. Skills, experience, and expertise vary between software auditors, therefore a second opinion provides an opportunity to confirm an issue, discover further problems, and give other recommendations.
For any locals in Australia on the search for a software auditor, feel free to reach out and hire me for a software audit.