Auditing Methods

Techniques for identifying structural weaknesses—both technical and organizational—within deployed systems. Auditing is not a one-time event but an ongoing practice.

Audit Categories

Technical Audits

Code review, dependency analysis, configuration verification. Focus on what the system actually does versus what it claims to do.

Operational Audits

Access control review, logging verification, incident response testing. Focus on how the system is operated rather than how it is designed.

Architectural Audits

Trust boundary analysis, failure mode enumeration, dependency mapping. Focus on systemic properties rather than individual components.

Audit Principles

Adversarial Thinking

Assume compromise is possible. Ask what an attacker with various levels of access could achieve.

Evidence Over Claims

Verify that controls exist and function. Documentation of intent is not evidence of implementation.

Continuous Process

Systems change. Audits must be repeated. One-time certification is not ongoing security.

Methods

Dependency Enumeration

List all external dependencies. For each: who controls it, what access does it have, what happens if it fails or is compromised?

Data Flow Mapping

Trace data from entry to deletion. At each stage: who can observe it, who can modify it, how long does it persist?

Failure Injection

Deliberately cause failures. Observe how the system responds. Compare to documented expectations.

Access Verification

Attempt to access resources without authorization. Verify that controls actually prevent access rather than merely log attempts.

Output

Audits should produce:

• Enumeration of findings with severity assessment
• Evidence supporting each finding
• Recommended mitigations where applicable
• Acknowledgment of audit scope and limitations

Audits reveal problems. Fixing them requires separate action.