Saasify.work

Software Advisory

Your sounding board to software success

Problem-Solving

We'll move forward together, identifying realistic solutions you can implement right away

Audit

Get to Know what you have and how to get the most from it

Custom Development

When you need something built, just for you

Schedule Call Contact Bonuses

Articles About Contact

February 6th, 2024

Code Audit

If you are not technical enough to check the work being delivered.

If you are hiring developers on Upwork (or anywhere really) to build your vision.

If you have anything brought anything into your codebase.

I really recommend performing a code audit to ensure a minimum level of quality and security.

The client doesn't care about the code.

That's a saying I have heard multiple times, and, well I tend to agree with it. In general you don't care. As long as it does what you expect, it is fine.

Is it ?

It may be when you are confident and trust that whoever writes the code, deploy the software, ... has your best interest in mind. That the person has the skills required, follows best practices and conventions, ...

If you have any doubt or concerns, I recommend a code audit could be beneficial, or at least some automatic checking.

The main elements to focus on would be :

Security : is the code secure ? Are there any secrets / passwords / ... that risk being leaked (rule: none of those in your code / repository, if something gets leaked, it needs immediate replacement) ?
Code quality - syntax : A very subjective element, each developer having its own preferences. I would recommend whenever possible to use linters and tools that make sure that the code follow certain formats. It ensures a set of constraint to help maintain a uniform codebase. See PSR for PHP for example. This can be automated, fixes applied automatically as well, ... Just to make sure things look nice.
Code quality - behaviour : It is a bit harder to test / check. But some tools like static analysis, type-hinting, ... can help mimize the risk of issues. Here as well, there are tools that can do it for you.
Malicious intent : Is your project sensitive enough that the developer would gain benefits by accessing your data, code, introducing backdoors or other ill-intended actions ?
... Whatever else you feel is needed for you to feel good about what gets delivered.

I don't believe you should overdo it. Measure the benefits against the costs of policing everything. But I believe that you should always have a minimum set up that you ask your developers to follow as a condition for acceptance.

For most elements, it doesn't cost much to have. It can limit issues and facilitate future work. It can also be automated in a set up once, benefit for ever manner.