Acquired Codebase Security Checklist: 20-Item Audit Guide

TL;DR

When acquiring a codebase, rotate all credentials immediately, scan for hardcoded secrets in git history, audit dependencies for vulnerabilities, revoke access for previous developers, and review authentication patterns. 6 critical items must be done immediately, 9 important items within the first week, and 5 recommended items for thorough security. Trust nothing until verified.

Quick Checklist (5 Critical Items)

Rotate all API keys and secretsGenerate new keys for every third-party service: Stripe, AWS, database, email

Scan git history for exposed secretsUse TruffleHog or GitLeaks to search entire git history

Revoke access for all previous developersRemove access from GitHub, hosting platforms, databases, and services

Change all database passwordsRotate database user passwords and delete unused accounts

Run dependency vulnerability scanUse npm audit or Snyk to identify vulnerable packages

Credential Audit 5

Rotate all API keys and secretsGenerate new keys for every third-party service: Stripe, AWS, database, email, analytics. Do not assume old keys are safe. How to rotate API keys

Scan git history for exposed secretsUse TruffleHog or GitLeaks to search entire git history. Secrets committed years ago may still be valid. How to scan git history

Audit environment variablesReview all .env files, production configs, and deployment settings. Document what each secret is used for. How to audit environment variables

Change all database passwordsRotate database user passwords. Create new database users if needed and delete old unused accounts. How to rotate database passwords

Review OAuth and SSO configurationsRegenerate OAuth client secrets. Verify callback URLs point to domains you control. How to audit OAuth configuration

Access Control 4

Revoke access for all previous developersRemove access from GitHub, hosting platforms, CI/CD, databases, and all third-party services. How to revoke developer access

Audit admin accountsReview all admin users in the application. Delete or reset passwords for accounts you do not recognize. How to audit admin accounts

Check for backdoor accounts or endpointsSearch for hardcoded admin credentials, debug endpoints, or test accounts with elevated privileges. How to find backdoors

Review deployment accessAudit who can deploy to production. Remove unused deploy keys and CI/CD tokens. How to audit deployment access

Dependency and Code Audit 5

Run dependency vulnerability scanUse npm audit, Snyk, or Dependabot to identify vulnerable packages. Prioritize critical and high severity issues. How to run dependency audit

Update outdated dependenciesFocus on security-critical packages first: authentication libraries, crypto, HTTP clients. How to update dependencies safely

Review for malicious packagesCheck for typosquatted packages or dependencies with suspicious names. Verify package sources. How to detect malicious packages

Audit authentication implementationReview login, session management, and password handling. Check for common vulnerabilities. How to audit authentication

Review authorization patternsCheck that access controls are enforced server-side. Look for IDOR and privilege escalation risks. How to audit authorization

Infrastructure Review 6

Audit cloud provider accessReview IAM users and roles in AWS, GCP, or Azure. Delete unused users and rotate access keys. How to audit cloud access

Review security groups and firewall rulesCheck for overly permissive rules. Close unnecessary ports and restrict SSH access. How to audit firewall rules

Enable logging and monitoringVerify that access logs, error logs, and audit trails are enabled and being retained. How to set up logging

Review DNS and domain ownershipVerify domain ownership records. Transfer domains to accounts you control. How to verify domain ownership

Check SSL/TLS certificatesVerify certificate validity and ownership. Set up auto-renewal if not configured. How to check SSL certificates

Verify backup processesCheck that backups exist and can be restored. Test a restore to verify backup integrity. How to test backup restoration

Treat Acquired Code as Untrusted

When you acquire a codebase, you are inheriting someone else's security decisions, mistakes, and technical debt. You have no visibility into how credentials were handled, who had access historically, or what shortcuts were taken.

A 2024 study by Synopsys found that 84% of codebases contained at least one known vulnerability, and 48% contained high-risk vulnerabilities. The older the codebase, the higher the likelihood of issues.

Should I rotate all credentials after acquiring a codebase?

Yes, always. You have no way of knowing who had access previously or if credentials were ever shared inappropriately. Rotating all credentials is the safest approach.

How do I find hardcoded secrets in an acquired codebase?

Use secret scanning tools like TruffleHog, GitLeaks, or GitHub's built-in secret scanning. Also manually search for common patterns like 'api_key', 'password', 'secret', and 'token' in the codebase. Do not forget to scan the entire git history, not just the current state.

How long should a security audit of acquired code take?

A basic security audit takes 4 to 8 hours for a small application. Larger applications may require days or weeks. Prioritize credential rotation and access revocation first, as these are the highest risk items.

TL;DR

Quick Checklist (5 Critical Items)

Credential Audit 5

Access Control 4

Dependency and Code Audit 5

Infrastructure Review 6

Treat Acquired Code as Untrusted

Should I rotate all credentials after acquiring a codebase?

How do I find hardcoded secrets in an acquired codebase?

How long should a security audit of acquired code take?

Related Articles

Freelancer Handoff Checklist

GitHub Repository Security Checklist

How to Rotate API Keys

Scan Your Acquired Codebase

Acquired Codebase Security Checklist: 20-Item Audit Guide