This article is one of a 7-part series on “Technology Auditing Strategies” co-authored by Roberto Calderon and Dr. Paul Eder.

Auditors today need to be tech savvy. Nearly every new program in government has a technology component. Accordingly, it’s important to have tools in your belt for assessing the viability of the code and architecture of the technology-based tools.

Static code analysis is a method of code program review that focuses on finding errors and mistakes without the need of running the program. It helps auditors to understand the code while also ensuring the code being used was developed within industry standards.

Static code analysis supports the rule of thumb that when developing a new program or software, developers must consider every single detail of the code. The goal should be to minimize errors or bugs once the final product is delivered. In colloquial writing, the use of a period, comma, or colon are important to determine pace and tone of the reading. Similarly, in software development, even the most minimal omission or addition of a sign will affect the whole code.

A skillful writer could find many ways of sticking to grammar use while adapting to a desired writing style. Even if there was an omission here and there, readers may still be able to understand the overall message. On the contrary, in software development, the most minimal addition or confusion of code could potentially affect the whole program. Consequently, it will either run in a different way than desired or simply not produce the outcome it supposed to produce.

Many technology initiatives in government have adopted the GitHub platform for housing code. Accounts within GitHub are mostly used to host open-source software projects, and it is currently the largest host of source code in the world. GitHub allows for ready access to code and easy implementation of static code analysis.

Some of the advantages of static code analysis for auditors of technology systems include:Static code analysis brings advantages to technology auditors

  • It allows for higher confidence in the white box testing portion of an audit. White box testing involves examining how the components of a technology tool work together at a functional level rather than just analyzing the software interface. It aids in the prediction of scenarios in which outputs might not be achieved. Static code analysis helps auditors identifying potential effects of any findings.
  • Auditors can easily find errors at any stage of development. Finding errors at an early stage may results beneficial by allowing reviews when the code is just being developed, giving more time in the future for other issues, since the one at the beginning were already identified.
  • If the project design follows an agile model, code can be examined for specific user stories or sprints (if details of the code are stored in this way), which allows for quicker identification of root causes.
  • It reduces costs of review. It is cheaper and less time-consuming finding mistakes within the code than testing the actual program at interface level and then return it for review, without prior knowledge on what could have gone wrong with the code structure.
  • Auditors can make more informed recommendations for fixing and debugging practices. By finding quality issues and mistakes directly in the code, it informs any anomalies that are identified in other areas of the audit.

Static code analysis requires specific applications or tools to help auditors identify bugs, errors, quality, or complex logic issues. These tools are available online and are designed for specific programming language or for multi-programming languages which can be used extensively by developers. The importance of these applications can be judged based upon:

  1. The accuracy in which they are able to identify quality, bugs, complex logic errors in the code to prevent potential errors and;
  2. The speed at which they are able to produce a response for auditors (either within the application or by producing a separate report).

We have found two applications to be particularly useful: Code Climate and DeepScan. Both applications have integration to GitHub and have very specific characteristics that allows white box testing to be faster and consistent with the goals of preventing and predicting failing future scenarios in the development of a program or software.

  1. Code Climate is an online tool for white box testing that can be used as a browser extension for GitHub. Code Climate allows auditors to look at how the code is structured without leaving GitHub and identifies unnecessary complex logic, and other issues within the code. Code Climate works with a wide variety of programming languages, at a high-level view.This application provides a code quality score for the code reviewed and even shows recommendations for solving a specific issue within the code structure. Therefore, it helps auditors to predict application risks and identify technical depth of the code. In addition, with its “Command Line” interface, Code Climate allows to run static analysis previously run in the cloud into a laptop. After review, the code repository can be imported back into the Code Climate for further analysis.
  2. DeepScan is an online tool that allows developers to check potential issues for the JavaScript programming code language. JavaScript is one of the three core programming languages in the World Wide Web (WWW), the other two being Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS). JavaScript enables the creation of dynamic websites which have content, such as tables, charts, images, and even videos. Since almost all modern websites use JavaScript, web browsers have JavaScript engines to execute the language. This makes DeepScan very useful for auditing web development projects.DeepScan can support White Box Testing by combining a Static and Dynamic analysis. DeepScan runs the code without the need of running the program itself. By doing so, DeepScan identifies where the codes risks might be located as well as what potential codes issue the code structure might present. After running DeepScan, it will provide a Grade of the project and display a list of issues that might affect the code (by clicking in the Issues tab). Developers can even manage issues by using the filtering tool DeepScan provides and take a detailed view of the code and changes by viewing files and issues on a separate pop up window. After executing and merging changes, DeepScan will run the code again and provide a new status report.

Of course, static code analysis does not replace all need for manual code analysis. Rather, it should be seen as one tool in the auditor’s white box testing tool belt. However, it is a powerful tool that should be welcomed to ensure your audit team has an efficient means for assessing the strength of code.