Why and How to Become a Source Code Auditor

Why and how become a source code auditor?

Quick introduction:

The main focus of a source code auditor is to look for any security weaknesses that may exist in a source code or any bugs that are there. Also, if there are any violations of programming conventions, this should be discovered by a source code auditor. This job is in fact analogous to being a needle which attracts all the pieces of code that may potentially reveal important information about the internal system or database of an organization to potential hackers. Also, a source code auditor should be responsible for looking for any law violations of licenses which govern a particular open source project.

Let’s talk about the responsibilities of a source code auditor:

Making use of automated security tools that scan for vulnerabilities is really advisable. Nonetheless, such tools may become fooled or may just overlook some existing weaknesses in a programming project. Accordingly, there is still a huge need for manual code review conducted by a source code auditor. Responsibilities of the job could be summarized through the following points:

  • A source code auditor should help the development team to prepare code for the auditing process.
  • She should always have a close look at the source code without skipping a line in order to search for potential weaknesses.
  • She should also make sure that the basic notions of security are satisfied by the source code through reviewing all the authentication, authorization, session and communication mechanisms.
  • She is also expected to get involved in some penetration testing in order to order the detected weaknesses and categorize them into high risk ones and low risk ones on the other hand.
  • After doing the investigations, a source code auditor should be able to identify all the spots of the code where sensible information could get leaked through. This will help a lot with preventing any unauthorized access to take place.
  • She should be really aware of the legalizations of commercial and open source licensing like intellectual property law for example.
  • Any third-party libraries should be reviewed for security leaks by a source code auditor whether such libraries are open source or commercial ones.
  • She should submit a comprehensive document containing all the results of the conducted investigations to both development team and legal team as well.
  • The role of the source code auditor does not just stop at submitting any discovered code weaknesses, security leaks, or law violations. However, she is also responsible for providing a list of actions to be adopted by both the legal and development teams in order to solve all the found problems.
  • A source code auditor should also be able to educate the development teams and hold trainings for them to point out some security concepts for them to consider when developing any future pieces of code.

It is also worth noting that most of the time, a source code auditor is in fact an independent consultant who is hired for the short term to discover any security leaks in a developed piece of code rather than having her on staff within the organization.

What are the career paths for a source code auditor?

Career paths to the source code auditor job is essentially dependent on the individual interested in the job in the first place. There are many intellectuals who first work in the field of software or web application programming then begin to specialize in the source code auditing path along the way. There are some other intellectuals who start satisfying their passion when they are in university such that they begin to focus on the security aspects when developing code during their university years and start the auditing path from there.

A source code auditor may just take part in different other roles rather than merely auditing. Some of the hats that a source code auditor may wear along the way are:

  • Penetration Tester
  • Vulnerability Assessor
  • Forensics Expert
  • And of-course she is covered under the umbrella of a Security Consultant job.

Tell me about the salaries:

Looking at the BLS Payscale figures, it is not an easy task to clearly find out the average salary for a source code auditor. The reason why this is the case is because of the very specialization of the job, which makes up for estimations based on posted jobs. Using SimplyHired website, we could find the average salary is around $52,000 for jobs with the term “source code auditor” included. Also, when using the key term “senior source code auditor” instead, an average salary of $57,000 could be indicated.

What degree should I hold for this job?

In fact, a degree in computer science, Cyber security, or any equivalent degrees are really suitable for satisfying the employers’ needs for the job. It is also worth noting that real life experience with programing and auditing makes you really attractive for employers to hire you. This experience is even more preferable than getting a master’s degree.

How much experience is needed for the job?

Well, working as a source code auditor is considered as a midlevel security job. This makes the years of required experience to be around 2 years to 3 years. However, the job listings for source code auditing opportunities is really not that abundant and in fact they are rare. As aforementioned, many companies just hire an independent consultant for the sake of accomplishing the tasks of a source code auditor instead of having one on board all the time.

What hard skills are required?

Because your work directly deals with the source code to make your analysis on it, you should really have a solid background in programming languages that are mostly relied on for real projects. The most important programming languages are C, C++, C#, Java, JSP, .NET, Perl, PHP, Ruby, Python, etc.

Some other technical background that needed are:

  • The secure coding standards and guidelines like CERT/CC, MITRE, Sun and NIST.
  • Experience with web application development and software development in general.

Interest and experience in penetration testing and conducting vulnerability assessments.

What are the desired soft skills for this exciting job?

It goes without saying that having communication skills when it comes to both technical and non-technical topics are really desired by employers. A candidate should show his management skills as well since part of his job is to manage the issues and the code development in term of security perspectives. He should also have interesting problem-solving skills and should always be resourceful. Employers of-course also examine the ethical standards of a candidate.

Besides, a perfect candidate is the one who keeps looking at the very small details and question everything he sees. Curiosity is really important for the job function because that’s all what it is. A source code auditor should be patient, scrupulous, tenacious, and yet he should really be analytical person.

Getting a job as a source code auditor really requires the mentioned soft skills and many more because such soft skills are really crucial for a source code auditor. Imagine how a source code auditor could work with the development team and handle live pairing with them with no soft skills!

What certifications should I aid myself with to be the best candidate?

A dedicated certificate for auditing is offered by ISACA which is an independent, global association that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. The certificate is called CISA, which is for the auditing of information systems. This is the closest certificate to auditing we could ever know for the time being, but there is no specialized certificate for source code auditing. It is also advisable to get certified in different other penetration testing certifications and some other certificates given by the following list in order to make the best candidate.

  • GIAC Software Security Certifications
  • CISA: Certified Information Systems Auditor
  • CISSP: Certified Information Systems Security Professional
  • CSSLP: Certified Secure Software Lifecycle Professional
  • CPT: Certified Penetration Tester
  • CEPT: Certified Expert Penetration Tester
  • GPEN: GIAC Certified Penetration Tester
  • OSCP: Offensive Security Certified Professional