When Code Review Audit Trails Pay Off
Test and Monitor | Posted August 07, 2013

Knowing Your Organization’s Skills

Unless you’re in a disagreement with someone, an audit trail is seldom of interest to a developer. Audit trails, by their very nature, are intended to allow oversight – who did what when? And as management tools, they can be very useful when assessing risks in both your code and your organization.

Assessing code risks

If you ask most development managers what keeps them up at night, chances are it is not schedule or user interface issues. What keeps us up at night are the things that might have been overlooked or poorly coded that will lead to vulnerabilities. Customers today are software-capable enough to deal with bugs in the code… with one exception. Security violations can have disastrous consequences that only the victims can try to clean up and people are unforgiving when software companies don’t do their part to ensure their application is hardened against hackers.

One way to avoid that particular nightmare is to enforce code reviews, but more importantly, use a tool that records the review so you can make sure the most vulnerable areas of code get reviewed and that the defects found in the review are fixed. Code review audit trails will show you not only the code that was reviewed but who reviewed it and when.

A side benefit of having that information is being able to quickly identify the people most familiar with that area of code if an issue does arise in production.  How you handle a production issue is as valuable as being able to prevent one. Using a code review tool to isolate the individuals best equipped to troubleshoot and resolve those issues allow you to provide resolution quickly and keep your customers calm.

Assessing your organization

A common question from development managers when discussing code review is how to build the talent pool so they have more people in their organization they can trust to do code reviews. A code review tool’s audit trail can provide you with some key data about how your team performs and communicates. The audit trail will tell you not only who submitted code for review but also how many defects were found, the defect rate, and the number of files submitted for review. This kind of information is invaluable in determining who the rising stars are in your organization and who needs additional help.

A common issue with implementing code reviews is the lack of senior talent who can be trusted to do a good review. The audit trail can also help you spot high performers who can be your next code reviewers by looking at things like Inspection Rate and Time in Review. Using the audit trail to find those folks and combining it with other tool-assisted capabilities like review pools and visible comments can set up a great learning environment where developers can be guided through the process of being a reviewer.

Getting Ready for Acquisition

If you’ve ever been through the acquisition/funding wringer, you know that much of it is unpleasant. What sounded like an easy win-win negotiation over beers can end up being a never-ending string of legalities and number crunching. Luckily for most of us in the development side of the house, our participation is often limited to the due diligence piece, which is really about ensuring that the code you said you built really exists and that you have done your best to make it of worthy quality.

What do Due Diligence teams care about?

Here’s where having a code review tool can come in handy, even for a small start-up. Most start-ups run lean and mean, and are far more interactive than larger companies. Code reviews are casual conversations in a cube, with the code up on the monitor. Of course that can get the job done, but when push comes to shove and the Due Diligence Team descends upon you, you may find yourself having to prove your quality processes to them.

Primarily a Due Diligence team is concerned with the following:

  • The structure of your code base
  • The quality of your code base
  • Vulnerabilities in your code base
  • Your code quality processes

How can a Code Review Tool help?

While your source code control system and defect system can help provide information on portions of this, a code review audit trail can be invaluable in showcasing your processes by reporting on who performs your code reviews, how often, and how much of your code is covered by review. Being able to provide an auditor with non-anecdotal evidence that you take your code quality seriously and have records to prove it will make the Due Diligence process go far more smoothly.

Regulated industries

There are several industries that require code review – if your application is targeted to a specific audience; you should verify whether the industry they’re in is one that has software regulations. Examples of regulated industries include Financial Services, Medical Devices, Healthcare, and Aerospace/Defense. In those cases, auditors are required to verify that the processes outlined in their regulations are being followed. Often the auditors are not technical staff so they are really looking for adherence more than anything else. Having a code review tool that shows who performs code reviews and how often will give them the assurance they need to verify your company’s compliance.

Are you doing enough with your code reviews?  Did you find this article useful?  Let us know what you think in the comments section.

See also: