Throughout this series, I've shared patterns discovered during a security audit on a Go authentication service: PKCS#12, timing oracle, lockout, CSRF, mTLS, CRL, CQRS. Let's now talk about the methodology itself: how the audit was conducted, and how we turned results into permanent tests.
The audit in successive passes
An audit isn't a single scan. It's an iterative process in passes, each with a different objective and decreasing yield:
Static analysis — read the code, identify security patterns (or their absence), note questions
Reconnaissance — understand flows, dependencies, trust boundaries, TLS/session/auth configurations
