There are teams that exclusively rely on auditors for security before major launches. Other teams have strong internal security processes and don't involve auditors. We believe both approaches are sub optimal and increase security risk.
Benefits of external auditing
Even with a robust internal security review process, there are several benefits of external auditing:
- The person who developed the code inherently has a very different perspective than someone who is seeing it for the first time. That perspective can be helpful in finding certain issues but also lead to missing others
- External auditors are usually better at using certain security tools since they audit a lot of contracts
- External auditors keep up to date with emerging vulnerabilities and threats both through active research and simply through reviewing lots of different contracts
- Finally, external auditing is a useful "test" of the quality of the internal development process. If auditors find vulnerabilities, that means there are areas for improvement in the internal development process.
Benefits of internal security reviews
It's equally important not to exclusively rely on external auditors for security:
- Internal security processes create useful documentation that can assist auditors and maximize their productivity
- Re-auditing is time-consuming and expensive for auditors and having a large number of errors could lead to additional auditing costs and delays
- Auditors cannot guarantee that they will discover all issues
- Having an internal security process means that if something "slips through the cracks" it is treated more seriously by the developers and can lead to process improvements. In the absence of internal reviews, security issues can simply be brushed off as human error
To conclude, having both internal and external review processes create a positive feedback loop where each process benefits the other over time.
