Bruce Schneier mentioned in his blog this post in Slashdot about security theater. I've saw some discussions about it mainly over the point of removing people from physical security points of control. But what really caught my eye was the comment about different audit procedures for code related to new releases and patches.

Has anyone conducted a study to check if code audit is a viable security control for non-software vendor companies? I mean, almost all big companies that don't sell software have internal development teams providing maintenance and new features for the software they use. Does the process of auditing the code for security vulnerabilities bring enough security to compensate its cost?

I believe that the answer for this question is based on several variables, like the amount of changes in the code, the exposure of the software to motivated and skilled attackers and the presence of easier ways to exploit the process which is supported by the software.

Without an analysis of these aspects I think that code auditing processes can be more expensive than accepting the risk, or even becoming just more security theater.