What Does a Source Code Auditor Do?
What is a Source Code Auditor?
A Source Code Auditor reviews source code to discover potential security weaknesses, bugs and violations of programming conventions. Automated code analysis tools can only go so far. In order to catch hidden vulnerabilities, companies still need to conduct manual code reviews. Basically, you will be looking for the needle in a programming project (e.g. finding code that might expose data and system resources to hackers). You may also be involved with legal issues (e.g. analyzing open source code for copyright infringement).
It’s a role for the detail-orientated! In addition to spending a lot of time poring over code, you’ll be expected to draw up auditing reports and recommend practical courses of action. Remember, too, that auditors often have to explain their findings to folks who are less technically savvy. People skills go a long way in this job.
Source Code Auditor Job Responsibilities
During the course of your day, you may be asked to:
- Assist development teams in preparing code for auditing
- Analyze source code on a line-by-line basis
- Review authentication, authorization, session and communication mechanisms
- Conduct penetration testing to determine high-risk and low-risk vulnerabilities
- Identify issues that could result in unauthorized access or leaking of sensitive information
- Understand the subtleties of commercial and open source licensing (i.e. intellectual property law)
- Review third party commercial and/or open source libraries
- Deliver audit results to development and legal teams
- Translate audit findings into a recommended course of action for legal and engineering departments
- Educate development teams on best practices for code creation
Source Code Auditor Careers
Source Code Auditor Career Paths
Career paths for Source Code Auditors vary. Some folks segue into auditing after working as software or web application developers; others begin specializing in programming and security during university.
A lot of Source Code Auditors wear multiple hats. An auditor may also work as a:
And so on. Sometimes he or she may simply decide to be known as a Security Consultant.
Source Code Auditor Salaries
Thanks to the nature of the job, standard salary figures from the BLS and Payscale are tough to find. By scanning all its job listings for the term “source code auditor”, SimplyHired calculates the average salary for a Source Code Auditor to be $67,000 (2019 figures). For the term “senior source code auditor”, the average salary estimate jumps to $77,500 (2019 figures).
Source Code Auditor Job Requirements
This is a super-specialized cyber security position, so you’ll want to consider related job titles when you’re starting your search. Try terms such as IT Security Audit Manager, IT Risk Assessor, Security Risk Assessor, Cyber Security Auditor, and the like. Because their reports carry so much weight, auditors are often expected to have a solid base of cyber security experience. Think 2-3 years at the minimum.
Just starting out in the field? If you want to experiment on your own, OWASP can direct you to a number of Source Code Analysis Tools. You could also consider contacting folks who currently work in security consultancy firms that offer source code auditing. They’ll be able to tell you where the field is heading and what they’re up to. You may not land a job with them, but you’ll receive good advice and make some valuable contacts.
Employers will be looking for a bachelor’s degree in Computer Science, Cyber Security or the equivalent. Real-life programming/auditing experience may be more valuable than a master’s degree.
This will depend on the job listing (and listings for Source Code Auditors are rare indeed). Mid-level positions will generally ask for 2-3 years of experience in security and auditing.
It goes without saying that you should have an in-depth understanding of programming languages. These can include C/C++, C#, Java/JSP, .NET, Perl, PHP, Ruby, Python, etc.
Employers may also be interested in your knowledge of:
- CERT/CC, MITRE, Sun and NIST secure coding guidelines and standards
- Software and web application development practices
- Penetration testing and vulnerability assessments
On the whole, employers will want candidates with high ethical standards, strong problem-solving skills, the ability to communicate with technical and non-technical staff, resourcefulness and smart project management skills.
How is your eye for detail? Auditors are expected to spot the smallest issue. Along with being scrupulous, tenacious and patient, good candidates are curious. It’s not enough to accept information as given. Auditors must question everything they’re analyzing.
What’s more, a lot of these positions are moving to source code review and live pairing with developers. The soft skills required for this go far beyond most information security roles.
Certifications for Source Code Auditors
As far as we are aware, there is no dedicated certification for source code auditing (though ISACA does offer CISA, which covers the auditing of information systems). We have also listed some common penetration testing accreditations. When in doubt, ask colleagues and employers for advice.
- GIAC Software Security Certifications
- CISA: Certified Information Systems Auditor
- CISSP: Certified Information Systems Security Professional
- CSSLP: Certified Secure Software Lifecycle Professional
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional