Re: "Selling" a code-audit.

Adam Shostack <adam@homeport.org> writes:

> Don't call it an audit.  Call it a review, a walk-through, or something less
> agressive.

Right.  It's going to be tricky to avoid the perception by developers that
auditors aren't just externally-appointed code nazis come to criticise their
work.  One possible approach here is to treat it as a lead-in to the
developers themselves doing the reviews/walk-throughs.  So you start out with
(say) a half-day tutorial on security reviews/walkthroughs, and then spend the
second half of the day going through code with the in-house developers, as an
extension of the initial tutorial.  Although this may quack like a code
review/audit, all it's doing is using actual code to point out a few examples
for tutorial purposes (no, really!).  The actual code reviewing is then done
by in-house developers, possibly with a little further assistance (purely to
provide guidance and training, no more) by the external auditors/reviewers.

(Something to watch out for is that although everyone will be enthusiastic
 about code reviews initially, eventually some ship deadline will come up
 faster than expected and the reviews will be dropped to save time, and then
 another urgent deadline will appear, and pretty soon it'll all be going out
 unchecked again).

Peter.