When you start the audit of code for security vulnerabilities, initially you will be doing Candidate point analysis. Over a period of time you will get more information about the code. When the code base is bigger, you will be wondering which section of the code to start it. To get somewhat clear idea about the code and class hierarchy, i will always run that against doxygen and generate html file and go through that. You know it saves lot of my time.