What Does a Source Code Auditor Do?
The Short Version
A Source Code Auditor reviews source code to discover potential security weaknesses, bugs and violations of programming conventions.
Basically, you will be looking for the needle in a programming project – e.g. finding code that might expose data and system resources to hackers.
You may also be involved with legal issues – e.g. analyzing open source code for copyright infringement.
Source Code Auditor Responsibilities
Automated code analysis tools can only go so far. In order to catch hidden vulnerabilities, companies still need to conduct manual code reviews.
To that end, you may be asked to:
- Assist development teams in preparing code for auditing
- Analyze source code on a line-by-line basis
- Review authentication, authorization, session and communication mechanisms
- Conduct penetration testing to determine high-risk and low-risk vulnerabilities
- Identify issues that could result in unauthorized access or leaking of sensitive information
- Understand the subtleties of commercial and open source licensing (i.e. intellectual property law)
- Review third party commercial and/or open source libraries
- Deliver audit results to development and legal teams
- Translate audit findings into a recommended course of action for legal and engineering departments
- Educate development teams on best practices for code creation
Source Code Auditor Career Paths
Career paths for Source Code Auditors vary. Some folks segue into auditing after working as software or web application developers; others begin specializing in programming and security during university.
A lot of Source Code Auditors wear multiple hats. An auditor may also work as a:
And so on. Sometimes he or she may simply decide to be known as a Security Consultant.
Source Code Auditor Salaries
Thanks to the super-specialized nature of the job, standard salary figures from the BLS and Payscale are tough to find.
By scanning all its job listings for the term “source code auditor”, SimplyHired calculates the average salary for a Source Code Auditor to be $63,726 (2018 figures). For the term “senior source code auditor”, the average salary estimate jumps to $77,853 (2018 figures).
Source Code Auditor Job Requirements
Employers will be looking for a bachelor’s degree in Computer Science, Cyber Security or the equivalent. Real-life programming/auditing experience may be more valuable than a master’s degree.
This will depend on the job listing (and listings for Source Code Auditors are rare indeed). Mid-level positions will generally ask for 2-3 years of experience in security and auditing.
It goes without saying that you should have an in-depth understanding of programming languages. These can include C/C++, C#, Java/JSP, .NET, Perl, PHP, Ruby, Python, etc.
Employers may also be interested in your knowledge of:
- CERT/CC, MITRE, Sun and NIST secure coding guidelines and standards
- Software and web application development practices
- Penetration testing and vulnerability assessments
On the whole, employers will want candidates with high ethical standards, strong problem-solving skills, the ability to communicate with technical and non-technical staff, resourcefulness and smart project management skills.
How is your eye for detail? Auditors are expected to spot the smallest issue. Along with being scrupulous, tenacious and patient, good candidates are curious. It’s not enough to accept information as given. Auditors must question everything they’re analyzing.
What’s more, a lot of these positions are moving to source code review and live pairing with developers. The soft skills required for this go far beyond most information security roles.
Certifications for Source Code Auditors
As far as we are aware, there is no dedicated certification for source code auditing (though ISACA does offer CISA, which covers the auditing of information systems). We have also listed some common penetration testing accreditations. When in doubt, ask colleagues and employers for advice.
- GIAC Software Security Certifications
- CISA: Certified Information Systems Auditor
- CISSP: Certified Information Systems Security Professional
- CSSLP: Certified Secure Software Lifecycle Professional
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional