Taking advantage of the code audit in 3 complementary steps

Implementing the results and recommendations of a code audit can prolong the life of your digital product, potentially pushing it to the next level of market share or in some cases even save the life of your whole business. But arranging an audit is a fairly straightforward matter, what really counts is what you do with the results. How do you take that information and use it to transform and update your app, website or platform?

You’ve just audited your digital product. Maybe it’s time to scale up for a bigger market. Maybe you’re ready to add new features for users. Maybe the app is getting a little old and is in need of a boost. Or it’s time to clear your technical debt. Whatever your motivation for carrying out a code audit (by the way, a UX audit would be complementary and is also highly recommended) once you have the results, now what? How do you go about using your audit results to improve your product?

Just to be clear… what is a code audit and what should you expect from it?

A code audit is an exercise in which a digital product undergoes an expert review, checking the code quality, software architecture, security measures, reliability and performance of that product.

A good audit will cover not only the code and technical aspects of the product but also the design elements that influence how the user experiences the product including its UX/UI design. Put another way, once your audit is complete, the results should include recommendations for:

  • Code, architecture and storage improvements.
  • Bugs to be fixed.
  • Security and maintenance.
  • User journey.
  • User interface design.
  • Addressing technical debt.
  • Readiness for the next phase of product development or business strategy (like scaling, for example).

The outcome of a good code (and UX) audit will be more than just a shopping list of issues to be fixed. Each issue should come with recommendations for action with any necessary cost/benefit analysis. Furthermore, the issues should be prioritized, based on the impact of the product as is, and as it will be, on both your users and your business goals.

The key to your product’s future success is in how you move forward on these issues, and that involves a focus on three main areas: your product’s sustainability, risk management, and its technical debt.

Code audit actions #1 – Sustainability

If the goal of a code audit is to give your digital product a new lease of life (or at least extend it) then it makes perfect sense to focus on the product’s sustainability. This is a complex but critical issue that can be broken down into four elements:

  1. Security
  2. Scalability
  3. Usability
  4. Maintainability

In more details:

1. Security – It’s hard to overstate the importance of ensuring your app’s security risks are minimized. There are a number of facets to the security issue. Firstly, there’s legal compliance; is your product in line with the relevant legislation, such as the EU’s General Data Protection Regulation (GDPR) and its harsh sanctions for non-compliance. Then there are your obligations towards users and clients; for example, what data do you collect and how do you store it; how vulnerable is it? There is also the physical danger to your app; it may be unlikely but events in the real world (fire, flood or earthquake?) do affect the virtual world; especially if they take place near the data center you’re using for storage.

Finally, any security issue comes with a cost, whether in app downtime or compensation for lost information.

2. Scalability – As users (and their needs) increase, so your product needs to grow, or get left behind. It can be a long and complex process, starting with your initial idea all the way through to a truly world-beating (and world-spanning) product; from prototypes to minimum viable products, to an initial product fit for the market, to an app scaled up for a much bigger market.

Each stage in the process builds on top of the last and once your product has been around a while, there are likely to be a few issues buried in the code that need untangling.

3. Usability – As we’re fond of saying here at Boldare, the user interface is like a joke: if you have to explain it, it’s not funny! Ultimately, your app or other digital product is there to be used. If you’re actually putting users off with your product experience, that’s counterproductive.

The goal is to fully meet user expectations with clear, accessible content and easy, intuitive navigation. These are the basics of a good user experience that can positively influence your business in various ways. You can read more about UX’s influence on your business in this article: Why and how UX matters for your business.

4. Maintainability – This is the degree to which you can understand, repair and improve the code of your product. For a long life, that code needs to be up to date, and the code and software architecture need to be ready for new features. This depends on neat, tidy, clear code. Otherwise, the ‘code entropy’ will only increase over time and each new feature added is more likely to break an old one.

Regular automated testing of code is often regarded as best practice maintenance that increases your product’s sustainability. Depending on how much improvement work the product is undergoing (and especially if multiple developers are working on it simultaneously) it may be worth setting up a program of continuous integration, whereby each developer merges their code with the original at least daily (ensuring that any conflicts between different work areas are picked up quickly).

Code audit actions #2 – Risk Management

All projects come with risk; hence risk management is a critical element of any project. Arguably, the process of implementing your code audit is more complicated (and therefore carries more risk) than starting a product’s development from scratch. With an existing product, you have users who might be alienated and lost, code that might be old (and vulnerable!) and require updating, or business priorities that might have changed.

The key to risk management in development is a comprehensive backlog of tasks and actions necessary to action the results of your audit. Such a backlog helps keep you on top of the work to be done, the future improvements, and the potential weak spots; thus mitigating product risks. From the perspective of improvements and further development, a good backlog gives you and your development team a snapshot of the product, telling you what state it is in and where you need to take it next.

The key to risk management via backlog is prioritizing. The backlog should be crystal-clear on what should be done when, and why. To achieve this:

  1. Align your backlog to your business goals.
  2. Focus on features that are used most often.
  3. Ask which parts of the source code have changed most often (most likely to need remedial attention).

Code audit actions #3 – Dealing with Technical Debt

What is ‘technical debt’? Technical debt is the extra work that has to be done later because of short cuts or cheap options taken earlier. To use an analogy, if you’re cooking and time is short, maybe you prepare the meal and it’s enjoyed by the people eating it, but because you were in a rush you left a lot of mess behind. That mess is the technical debt you have to clean up later… before cooking again.

In other words, there’s always a price. In this case of your digital product, that price is likely to be a combination of time and money.

Your code audit report should include a full taxonomy of the product’s technical debt; ideally with well-defined metrics that can be used to track progress in tackling it. The degree of urgency depends on how ‘contagious’ the debt is; i.e. what further problems could occur if you do nothing.

Common tactics to address technical debt include:

  • Updating or replacing unsupported libraries – Unsupported libraries are a risk to security and maintainability, mainly because newer libraries tend to have more up to date and better solutions available to developers. If a library is too out of date, you may even get to the point of being unable to work on your product until the library is updated or switched for a library with better support.
  • Refactoring in small, coordinated steps – Refactoring is the restructuring of the existing software architecture or code without changing the functionality or external behavior of the product. When refactoring and other work is done concurrently, you have the potential for problems. A recent example we came across was a project that included major code works in the database, while adding new features and fixing bugs at the same time. These different workstreams progressed in isolation and ended up incompatible. To maintain compatibility, it’s better to work in small, coordinated stages and release small changes often.
  • Deploy tests and metrics – During refactoring and other post-audit works, a program of small, rapid improvements and fixes can enable you to test changes rapidly as you go, monitoring progress. We recommend using automated tests and monitoring tools (e.g. New Relic, Datadog, etc.) in conjunction with the right metrics (e.g. error rates and app performance can ensure you’re checking that the changes you’ve made don’t ‘break’ anything else in the product)

Code audit into action

To summarize, implementing the results of your code audit starts with developing a plan or strategy based on a well-prioritized product backlog aligned with business and user goals. Many of the above issues can and should be discussed at an initial meeting of the development team (maybe a kick-off workshop for the project) at which metrics for code quality can be agreed, and then monitored as the work progresses (thus ensuring sustainability, risk management, and the tackling of technical debt).

Furthermore, paradoxically, a code audit is mainly a business tool. It’s focused on the product itself and its technical aspects, obviously, but at the same time an audit helps to provide a better focus on the business and company strategy. And this is why it should be important not only to technical decision makers (CTOs), but also other C-Level stakeholders: CEOs, CMOs, etc.

This article is based on a three-fold approach to implementing a code audit, first put forward in Boldare’s four-part webinar series, “What next after a code audit?” (watch it here).