HOME > SECURITY RESOURCES > WHITE PAPER ABSTRACT
These library resources require an Ounce Labs ID. Log in or register.
Software Security Assurance
A Framework for Software Vulnerability Management and Audit
Author: CHARLES H. LE GRAND, CIA, CISA
Sponsored by: Ounce Labs
Abstract
With 94% of IT security risks coming from software, it is imperative that enterprises assess, measure, and manage their software risk. This framework offers guidance for the processes, controls, and tools needed to assess software risk, and includes a detailed auditor's checklist and regulatory compliance matrices.
Overview
Internet-facing systems represent significant opportunity as well as risk to any organization using them. They help meet customer and competitive needs, but they also provide a primary avenue for attackers to evade protective system barriers. Once an attack has exploited a vulnerability in a Web application, the application's server loses its reliability, subjects data to compromise or destruction, and can become a base for launching attacks against other systems within the organization's network or against other Internet systems.
This guide provides information needed to identify, measure, remediate, and manage specific security vulnerabilities in online systems. It identifies the source of the problem, recommends specific techniques to assess the extent and severity of the problem, and explains how the control environment can be structured to manage software security risks efficiently within the organization's risk appetite.
Software security is also a significant element of compliance with the laws, regulations, and policies that govern an organization and its data. Weak software security can represent, for example, a significant control deficiency in terms of compliance with the Sarbanes-Oxley Act, potentially compromising the reliability of financial information and reporting. The appendixes of this guide provide references to example laws and regulations related to information security, and crossreference sources of guidance for assuring effective compliance practices.
Many positions within an organization have responsibilities for ensuring the security of online applications - from the programmer writing the source code all the way through the audit committee of the board that must assess the reliability of assurance regarding information reliability and security. As audit represents an essential element for controls assurance, this guide also provides guidance for audits of software security vulnerability management as well as an example audit program that can be modified to fit an organization's specific needs.