What are the responsibilities of a Source Code Auditor?
As the name suggests A Source Code Auditor reviews and studies the source code to find any potential security vulnerabilities, violations or bugs.
In your day to day schedule, you will be mostly reviewing source code of your IT projects to determine if any code might expose it to cyber attacks from hackers.
Your job may also require you to work with legal issues such as reviewing an open source code for any copyright infringement issues.
Although there are many automated tools available to do the job you will be doing, they still lack the detailed input a human can put in, thus organizations still require someone to do manual code audits, this is where you come in. You can expect to do the following:
- Conduct source code analysis line by line
- Analyze code with penetration testing to find out if any high or low risk vulnerabilities are present
- Understand the features of a commercial open source license such as intellectual property law
- Conduct audit and deliver your results to legal and development teams
- Help development teams learn the best practices of code creation to prevent vulnerabilities to start with
- Help the development team to prepare a code for auditing
- Review authorization, session, authentication and communication mechanisms of a code
- Find and identify a variety of issues that can result in sensitive information leaks or unauthorized access
- Study and review third party open source or commercial libraries
- Conduct audit then file your findings and present it to the legal and engineering departments along with your recommended course of action
Being a source code auditor, you are welcome in many different job positions in cyber security. It completely depends on your personal choice. As a source code auditor, you could move on and become:
The average salary of a source code auditor is $67,190 per year. The basic salary usually starts from $41,400 and can reach a maximum of $118,930 per year (2016 figures)
You should expect employers to demand a bachelor’s degree in Computer Sciences, Cyber Security or a related technical field such as Engineering. A master’s degree is overshadowed by professional experience when it comes to this job position. So consider getting significant real-life experience in favor of a master’s.
This largely depends on the job opening and the specific demands of an organization. Typically, organizations ask for at least 2-3 years of experience in auditing and IT security.
You should have good oral and written communication skills because employers will want you to communicate regularly with non technical staff such as legal professionals and managers of businesses. You should also have a strong sense of problem solving, ethical standards and good project management skills.
Attention to detail is very important when it comes to auditing. So you should be someone who can ideally find very small issues easily on a given code. Auditors are supposed to question every single thing they find out, hence they have to have a very curious mind with patience as an added bonus.
This is one of the only IT security position that will depend more on your soft skills vs hard skills, so make sure you develop them during your entry level jobs.
A Source Code Auditor depends mostly on their soft skills mentioned above, but that doesn’t mean you do not have to have any technical knowledge. You must have the following hard skills to successfully become a source code auditor.
- Programming languages such as C, C++, C#, JAVA, PHP, Ruby, .NET, Perl, Python and other related languages
- Web and software application development understanding
- CERT/CC, Sun. MITRE, NIST secure coding standards and guidelines
- Vulnerability assessment and Penetration Testing
There are no specific certifications recommended for a source code auditor. Even employers don’t demand specific certifications. So you can basically choose any certifications to boost your technical knowledge, especially that in auditing of information systems. Some source code auditors also take on penetration testing accreditations because that can help you out in your day to day tasks and makes things generally easy for you. We have listed down a few certifications you may choose from, however, it is strongly recommended that you ask senior colleagues or mentors for advice.
- CISA: Certified Information Systems Auditor
- CSSLP: Certified Secure Software Lifecycle Professional
- CEPT: Certified Expert Penetration Tester
- OSCP: Offensive Security Certified Professional
- GIAC Software Security Certifications
- CISSP: Certified Information Systems Security Professional
- CPT: Certified Penetration Tester
- GPEN: GIAC Certified Penetration Tester
Latest posts by Jake Ciber (see all)
- Is cybersecurity a threat to our interconnected future? - May 22, 2017
- The most important questions business should be asking about cybersecurity - May 12, 2017
- How To Keep Your Chats Fully Private - May 3, 2017