Let’s say that ACME, Inc. is making closed-source software. It’s closed for a reason (they don’t want it leaving their building other than in compiled form). Now, they are hiring some company/person to audit the code for them. How exactly is this done?
If I were ACME, Inc., I would want the audit person (or persons) to come to my physical location, get literally locked into a room with no Internet access, carefully frisked for any USB sticks or any other electronics both when they enter and leave. With cameras recording the screen and the auditor’s face/hands 100% of the time he/she spends in there, which is carefully looked at by my own employees as it happens and/or afterwards.
However, this sounds both demeaning for the person doing the audit, and also unrealistic for anything but the biggest and richest companies. (And with a security-conscious/paranoid CEO.)
I cannot imagine that they just ZIP up their source code tree and e-mail it to the auditor or something similar. Even with encryption and whatnot, this just feels horribly insecure. I would feel as if the second the source code is sent to the auditor remotely, it’s “left the building” and become “potentially public”.
How is this done in practice? Do companies really trust the security of the audit companies? As I type this, I realize how silly that sounds, since they are after all paying them to find flaws in their own code, but still, something about not controlling the whole process just sounds horribly insecure.
I wouldn’t be surprised if you answered that most companies these days just have a “private GitHub repo” to which they grant the auditor access in some GUI. But I would never, ever do that myself…