I’ve reviewed code, in particular I’ve looked over merge requests on occasion but mostly out of academic interest than being very concerned over security. Just want to see how people accomplish a task. Learning.

I’ve monitored network traffic just because sometimes I just want to do that rather than paranoia. Practice and learning.

I’ve run code through a local sonarqube instance and whatever other scanning software I feel like trying along with building applications from source but again it’s not from paranoia but for personal interest that’s mostly just making sure I’m in practice of being able to do so.

I’m not a security professional so I don’t have the background and experience to really notice things that can be problematic like people I know who have a career directly cyber-net-etc-security related rather than my tangential

So really I don’t audit code. At least not huge codebases. When it’s just a few 100 line files of python to accomplish something, I’ll read them. There’s usually a requirements.txt in there though pulling in pip packages and I know I haven’t audited up the dependencies. At work there’s standards handled by people where it’s their job to determine whether the code you’ve written and dependencies pass the minimum to be deployable to computers on the network and that too is mostly handled by security scanning software both open source and closed commercial software