The difference between Auditor and Security Researcher
Want to be a smart contract auditor? Contact me for learning paths, advice and real-world challenges by email at aitor.zaldua@draftdigital.xyz or in X as @azdraft_.
There’s been a lot of talk about Twitter, not just in recent weeks because of Facebook’s new social network, but ever since Elon Musk bought Twitter.
The blue check, the 600 tweets a day policy… all a lot of news to discover something we already knew: We love Twitter.
Yes, those tik-toks with the puppies are really funny, they also explain us the whole life of Taylor Swift… but Twitter is still king as a social media work tool.
And for a web3 professional, it is gold. Because it is one of the most powerful tools for finding new information, new developments or, in my case, new system vulnerabilities.
So I read Twitter in the morning. With my coffee. Like my grumpy old grandfather did with the newspaper in the eighties. I wish I had a dressing gown and a pipe too.
Anyway, I was reading my newspaper, ahem, Twitter. And this thread caught my eye.
Exactly! I had nightmares about this question, why does it matter and is it really just semantics? Spearbit is a big reference in the security ecosystem, so it is the voice we need to define concepts.
So make yourself comfortable, I have already read it and I offer you the result.
Security Auditor
What Spearbit said: “An auditor conveys a role that involves checking the compliance of systems or procedures against a defined set of standards or regulations.
Mechanical, systematic, with little creativity to push boundaries beyond status quo.”
OK, a little bit too hard, isn’t it?. When I read the definition, my first thought was that being an auditor is a terrible job. But I changed my mind a bit. Because sometimes we need a “Mechanical, systematic, with little creativity” work.
For example, following a pattern and not overthinking is better for a mid-level security engineer. If they don’t have the level yet, it’s better to stick to a plan, look for the most common attack vectors, and leave the review and improvisation to the senior security researcher. The company and the customer will save time and money.
Or for a company with a smaller budget. Which is better, not doing an audit at all, or at least trying to do a “mechanical, systematic, uncreative” audit. For a new small start-up, a mid-level review, between a slither review and a $40,000 audit, could be a good solution.
Security Researcher
What Spearbit said: “A Security researcher suggests a more advanced, technical, and expansive role. Searching for novel attack vectors, striving to be at the forefront of advancing web3 security, and dedicated to delivering value beyond client expectations.”
I was a little critical of the last sentence of the auditor definition, but the last sentence of the Security Researcher definition is music to my ears. “Delivering value beyond customer expectations”. And there are many ways in which a good engineer can deliver service beyond the client’s expectations: With an incredible, well-written report, with a follow-up after the service is complete, or with a detailed explanation of how to prevent attacks.
But, of course, the core should always be to protect the code, and I totally agree that a security researcher is the perfect profile for that. The security researcher spent hours a day looking for new attack vectors in Solodit, in Rekt and, of course, in Twitter.
Allow me to post another tweet, in this case, from @pashovkrum
“Web3 researchers are very very smart people. There were some serious beasts in the event, guys who have protected tens of millions of dollars. Not all of them are paid accordingly, but incentives are moving in the right direction because of good platforms.”
Conclusion
Thanks to Spearbit, we have a clear definition of the different profiles in web security3 and the conclusion is that they can work together as a team. We need a methodical and canonical review plus the imagination and creativity of a researcher. As in team sports, we need the best players of each role to win.
Oh, I almost forgot, and what about customer contacts or technical writers? OK, that’s a story for another article.
