will perform a code audit to aid pentesting. During a code audit, we manually examine the code of an application to ensure there are no security vulnerabilities and use our understanding of the code to guide our pentesting. If vulnerabilities are found, we document those and suggest ways to fix them. This is done by highly-trained penetration testers who can both review the raw code as well as interpret the findings of the automated scans, putting them into context.

During the code audit portion of penetration tests, we take the following criteria into account:

1. Risk Assessment and Threat Modeling
   In this step, we analyze the risks of a particular application or system. Threat Modeling is a specific, structured approach to risk analysis that enables us to identify, qualify, and address the security risks, thus dovetailing with the Code Review process. For example, user data is sacred. We focus on encrypted storage, discover if employees have a backdoor into data, and cut loose stolen devices by wiping them remotely and revoking accounts.
2. Purpose and Context
   Here we focus on risks related to the purpose of the code. Context related risks can differ for, for instance, upload and access source code compared to source code for web applications.
3. Complexity
   The complexity of the system is in the frameworks that support the web application. We'd ignore those and focus only on the custom code and backend code. We would also focus on implementation mistakes and known flaws in the systems. For example, we'd ensure you're using the latest versions of software, but we wouldn't delve into the framework itself. Since we assume the code is written by a team, it should be clearly-written code. If you have several full-release versions, there will undoubtedly be several revisions and audits on that code.

For more information, please refer to this link: https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents