Welcome to Veridise! Ensuring the security and integrity of your software is paramount, and we commend you for taking this crucial step towards enhancing your system's safety. If this is your first security audit, you may have questions about how to prepare. This guide will walk you through the essential steps.
Minimum Requirements
Preparing a Specific Commit for the Audit
- Commit Selection: It's vital to earmark a specific commit of your codebase for the audit. This establishes a stable reference point, ensuring clarity and consistency throughout the process.
This can be done up to the day before the audit start date.
- Documentation: Provide any relevant documentation. Architecture, design documents, or diagrams can be especially helpful.
This helps the auditors understand your system architecture, data flow, and other critical components.
Ensuring Reproducible Builds and Tests
- Clean Build: Start from a clean environment to ensure that the build and test processes are not dependent on any local configurations or cached data.
- Build Scripts: Provide any necessary build scripts and instructions. This ensures that our team can reproduce your development environment and the steps to get from source code to running application.
- Test for Every "Happy Path": The "happy path" is the typical, expected sequence of events in a feature or function. Ensure you have tests that cover each of these paths to validate that the system behaves as expected under normal conditions.
Code Quality and Formatting with Linters
- Linters: Use linters for your specific programming languages. They ensure code is consistent, clean, and follows best practices. Well-formatted code aids in the audit process by improving readability and reducing potential pitfalls.
- Code Standards: Adhere to recognized coding standards for your language or platform. This ensures your code is organized and reduces the likelihood of security vulnerabilities related to poor coding practices.
- Avoiding Duplication: Write functions to avoid copy-and-pasting code! This will reduce the time needed to audit your code, and make the codebase more maintainable.
Code Coverage
- Test All Core Components: While testing the "happy paths" is crucial, it's equally essential to ensure that every core component of your software has been tested. Leaving components untested creates blind spots in security.
- Programmatic Coverage Checks: Use tools to programmatically check test coverage. These tools can highlight areas of your code that haven't been tested, providing a roadmap for improving test coverage.
- Combining Coverage with an Audit: High test coverage combined with a rigorous audit process gives a much higher level of security assurance than either on its own.
Enhancing Tests
- Testing the "Bad Paths": Not every interaction with your system will follow the expected route. It's vital to test for unexpected or erroneous inputs and actions to see how your system responds.
- Access Control Tests: Ensure every access control mechanism fails when it should. This verifies that unauthorized users cannot access protected resources or perform actions beyond their permissions.
- Checking Invariants: For systems, especially financial ones like pools, check for expected invariants. For instance, swapping one currency for another, then back shouldn’t lead to the pool losing money.