A large problem that you will encountersooner or later are bias.
Consider the following:
Before you begin with an audit, you'reinformed that the code contains three high-severity issues, hidden so wellthey're nearly indiscernible. This prior knowledge unavoidably shifts yourauditing strategy. You might dive deep into the code.
In this example (expected there are noother issues), bias are positive, as the auditor will spend more time on thecodebase. However, this is obviously unrealistic to happen and in reality biasare often negative.
While in our above example, bias are good,they are bad in the next example:
A challenge arises in subsequent rounds, asthe familiarity with the code and its known issues can decrease theireffectiveness, which is directly tied to the bias introduced in the initialround. This means, in the subsequent round, there will be focus issues.
To counteract this bias and enhance thethoroughness of the audit process, several strategies can be employed:
Changing the work environment, forinstance, can offer a fresh perspective. Audit outside instead of inside.
Switching from digital audits to paper, orvice versa, can disrupt established thought patterns.
Delving into audit reports of similarprojects can yield creative exploit ideas.
Engaging in discussions with thedevelopment team about potential areas can bring a fresh perspective.
Looking at docs (the ones that know me,know that i never look at the docs during my first round).
