Was searching on audit platforms like CertiK and Hacken. And have a question: who decides to pay for audits like this? I mean, is it just a marketing? Or managment team really anderstands audit is important to create better product?
I mean, audit costs about 50 thousands and more, just like engineer salary. Is it really worth it?
External audits can be a useful way to have very experienced developers review your code without having to hire them full time. Very experience developers are incredibly expensive to hire full time, which is why people will contract with them for one-off code reviews.
It is worth noting, that not all audits are created equal. There are some auditing firms that just run some basic static analysis and print out a nice looking report but don’t actually have an experienced engineer thoroughly review the code. These types of audits are generally worth very little and people get them just so they can get a stamp of approval that they can show to regulators or users who don’t understand the purpose of an audit.
As to who pays for it, the person that should pay for the audit is the person who wants to know how risky the code in question is. If the developer pays for it, then it means the developers want to know how risky the code is. If the users pay for it, then it means the users want to know how risky the code is.