A Guide to a Typical Tech Audit Process for Embedded Projects

Do you want to make sure your code works consistently and is free from technical debt and bugs before your embedded software project release? We’ve talked to Nazar Kohut, Lemberg Solutions’ Project Manager, to find out what a code audit is, how it works, and why it’s so beneficial for businesses.

What is a code audit in embedded projects? 

An embedded software code audit is often perceived as a static analyzer detecting a list of critical and non-critical vulnerabilities. The majority of static analyzers check the code for known types of weaknesses to test its endurance and security. However, you might receive an incomplete result for several reasons: 

• The code examples from a CPU vendor are stuck together with a bunch of extra modules that aren’t used in software
• Errors in the logic (e.g. absence of logic in a part of use cases), which will cause software failures 
• Poor reboot, reconnect, data resending, and over-the-air update mechanisms

Types of embedded software code audits

Superficial machine analysis (often used as a part of the manual, proper, or full-scale audit) 

With appropriate tools, like SonarQube, Embold, etc., this type of code audit is fast and affordable, but it does not provide a clear and complete picture in terms of logic.

Manual code audit 

In this case, a highly qualified embedded engineer investigates the code, its separate modules, and overall architecture based on the generally accepted principles of architecture construction. Later on, a QA engineer tests the code to identify bugs and malfunctions.

It is advisable to audit your code if:

• You know that the code needs optimization, even though there are no explicit issues. For instance, the code has been written quickly, based on SDK examples, and now needs to be cleaned up and prepared for further scaling.

  In this case, a software code audit will help you determine the amount of technical debt that has formed as a result of preferring easy and quick fixes over well-thought-out decisions. If you don’t settle the technical debt, it can accumulate so-called "interest," making it harder to implement changes and scale the product.

  You can also outsource the audit process and make the work of the core team more efficient. Using easy fixes to solve an issue due to a lack of company resources or expertise is an inappropriate solution, as it leads to the appearance of new bugs in function-impacted parts and delays the development of new functionality.



• The team can’t come up with any options to improve stability or performance of your product. A source code audit will provide you with a second opinion and help you embrace fresh optimization ideas. The opinion of a third party is crucial to enhance implementation of more sophisticated solutions. It's also the case that outdated code needs to be rewritten in order to improve overall performance or to make a transition to updated hardware.


• You want to check the quality of code and the qualifications of the team that worked on it. A software code audit is also a good way to check the quality of your vendor's services and determine your team's strengths and weaknesses as well as to get a clear list of recommendations for code improvement.


• You’re planning a deployment to fleet devices and your team is not sure about possible issues or security bugs. If you have any doubts about production deployment, we recommend taking 2-3 weeks to double-check everything. This way, you'll get the opportunity to fix all potential bugs before the new version’s deployment. The release of a product that fails to work properly/stably or has a security vulnerability might result in a very high churn rate and severe reputational damage.


• You’re investing in a startup, so it's crucial to check potential liabilities and delays in connection with additional development objectives. The described technical issues should be addressed by the startup's CTO; however, a quality code audit is another way to verify the liquidity of investments and the reliability of top management. Additionally, it is a way to help the team resolve technical issues before they start to interfere with company scaling and monthly recurring revenue growth objectives.


• Your company/startup is undergoing mergers and acquisitions, especially if the company's main asset is an algorithm. While a financial audit is a common endeavor, particularly as it helps to structure long-term financial modeling and meet expectations after a company acquisition, taking into account the technical risks that can result in additional investments is equally important. Thus, we advise a tech audit as an analog to a financial audit conducted by a third party to avoid unpleasant surprises down the road.

Benefits of a code audit in embedded projects

The code audit sheds light on the presence/absence of security vulnerabilities or functional gaps. If code lacks order, does not follow standard organization practices, or is riddled with unusual patterns or quick fixes, most probably, you'll find critical bugs deeper inside. By contrast, code that follows standard protocols sets up a more stable codebase that is flexible for the introduction of additional features.

The code review audit also determines whether it's possible to add new functionality and checks your code for bottlenecks. There are several other ways to verify your code: a battery drain analysis (for battery-powered devices); a memory usage analysis, helping to prevent stack overflow and understand the boundaries of hardware capacity; and a processing power analysis, to understand how much CPU capacity we have left for the new functionality.

Performing initial QA testing during the audit is a good practice to follow. It enables you to identify bugs and possible malfunctions in specific functional, security, load, and edge use cases. Together with an audit of logic, it also enables you to identify and fix unnoticed bugs before users spot them and shift to your competitor's product. 

If you're a service outsourcing company, a code review process will enhance your scope estimation process, as you'll be able to receive clear documentation and evaluate the amount of required work without spending your resources. You'll also create a positive professional image in the eyes of your customers by providing them with systematic value.

If you're a startup, it will enable the product owner to receive professional advice from the third party regarding the code and opportunities of the new features' implementation. As a result, you will be able to choose the highest-priority targets (technical debt, security issues, bugs, etc.) and either delegate them to a vendor or manage them inside your team.

If you're an investor, a code audit would be a perfect second step after the financial audit. A code audit will help you evaluate the technical risks, calculate discount rates, and assess cash-on-cash return more precisely. It also predicts additional liabilities and development time that are oftentimes missed during financial planning. According to a study, each hour spent on code review saves 30 hours in maintenance. A code audit will point out whether code review was performed properly and regularly.

How does embedded software code audit work?

The whole process takes 2-3 weeks and is usually performed by one engineer who is experienced in the technologies, protocols, and MCUs used in the code. Also, an experienced QA engineer is involved in the audit process. Throughout a week, a QA engineer processes possible use cases and tests different code levels based on the list of functions and the target audience of the device. Next, the developer and the QA engineer discuss the results and evaluate other possible use cases to add recommendations for additional features and changes in the existing logic. 

In this regard, hiring an outsourcing embedded development services company brings numerous advantages. Since the in-house programmers could miss possible issues as they have been working with the code for a long time, third-party engineers would be able to look at the code from a new angle and offer non-obvious solutions.

The code analysis and recommendations could be divided into 2 types:

• Major architectural changes, significant changes in logic
• Details on specific functions, modules, code, style, and clean-up

These are equally important areas of work; however, dividing them saves the team from getting trapped in excessive details. It also enables the team to primarily pay attention to more significant risks and eventually offer comprehensive recommendations for improvement of the system performance, something which will enable you to quickly scale the product in the future. After that, we focus on less time-consuming and simple refinements that will provide a quick and effective result.

Organization of the code audit process

Start with a kickoff meeting for discussion of: goals; requirements to the code after fulfillment of all audit recommendations; and the description of the current functionality and known issues. Also, don’t forget to think of the provision of technical documentation, source code, and devices in order to run and test the code.

In general, there are 6 main stages of a code audit: 

1. Architecture and functionality investigation (including review of technical documentation by developers, code examination performed using a static analyzer, investigation of separate logic modules; checking parts of the cloud (if necessary/available); investigating the entire architecture as a whole) 


2. Initial QA testing — a decent loop with functional, load, edge, and security test cases (initial functional and non-functional testing; use cases by a QA engineer) 


3. Code analysis and refactoring/rework suggestions


4. Documentation work (performed by developers, together with QA engineers). This stage involves: documentation of initial QA results on existing and potential bugs; documentation from the engineer in the refactoring format (recommendations for code clean-up, structure, style, SDK updates, fixing of existing bugs, and easy fixes); documentation from the engineer in the rework format (recommendations for processing individual modules, replacing or extending data transfer protocols, adding energy saving algorithms, improving existing logic and other architectural changes)


5. Scope estimation for the refactoring and rework phases


6. Presentation of the code audit results during a meeting and provision of three documents: Static analysis, recommendations on removal of vulnerabilities, and code style. Manual analysis, with refactoring recommendations on clean-up, fixing existing bugs, changing part of the logic to optimize performance. Manual analysis, with rework recommendations for profound changes, features' extension, addition of logic to prevent malfunctions, and other deep-optimization practices to significantly improve performance, capacity, scalability, etc.

The code audit can be performed on a time-and-material or a fixed-price basis. For embedded systems projects, we prepare the major part of the documentation without detailing it in terms of risks, the project charter, and other activities and documents necessary for larger projects. But the WBS, Timeline, SOW, and Communication Plan with a weekly status report will be delivered in any case.

The main condition for a fast and efficient code audit is the availability of technical documentation. It will simplify and accelerate the logic investigation, especially on large projects operating 100K+ lines of code. The absence of technical documentation won't be a reason for a significant delay of the audit, but keep in mind that without technical documentation or detailed introduction, the whole process will take longer.

A code audit is a cheap and effective way to: get a clear list of tasks to improve the tech part of the product; provide the team with room for development; and fix issues to get prepared for product deployment. It can be carried out by a third party after every major features' deployment to support project scalability and security. We advise you to delegate the code audit to experienced engineers and try to manage the process for no longer than 3-4 weeks, depending on the size of the project.

What will you receive as a result of the code audit?

• Document(s) on the static analysis, with comments indicating pieces of the code that need to be fixed. Inside, you'll also find recommendations regarding clean-up, security issues, and code style.


• Document(s) with recommendations for fixing existing bugs, deleting unused modules, updating examples and the SDK, changing the conflicting logic in the modules, improving the code structure, replacing easy fixes with proper ones, and other modifications as a part of refactoring.


• Document(s) with additional recommendations for logic and code improvements with explicit use cases; new technical feature implementations (previously unnoticed by the client) to enhance performance, scalability, code security (scripting, OTA provisioning, resetting firmware); introduction of an additional connection protocol or its replacement (for example, HTTP or MQTT); transforming the battery consumption logic (for example, adding a low power mode); and other improvements within the more profound analysis. 


• Estimation of the refactoring scope. Improving the code without changing its logic, yet fixing bugs and managing the clean-up process.


• Estimation of the rework scope. Rewriting code as well as adding new features, e.g. encryption, including the change and extension of the logic to improve crucial performance objectives. For example: 1. boost the radio signal; 2. prolong battery life; 3. approve the accuracy of data collected; 4. accelerate system operation at higher loads, etc.

Having received the code audit, the product owner will be able to choose between 2 options:

• Refactoring to obtain high-quality, secure, and manageable code for further product development
• Rework a part of the logic and significantly improve certain features of the product at this stage

In addition, you can choose the most important objectives from each of the scopes and prioritize the workflow based on the opinion of the product owner after considering dependencies.

Summing up

Even though it is a proven prerequisite for trouble-free and rapid growth of a product, code audit is used by only a small part of companies. If you would like to utilize a code audit for your product and ensure the smooth and efficient growth of your business, Lemberg Solutions has all necessary expertise to help you. Drop us a line to learn more about our code audit service and expert technology advisory, and we’ll get back to you shortly with answers to all your questions.