Supporting Regulatory Compliance: Meeting Policy and Regulatory Requirements for Software Security

In the face of the ongoing epidemic of data breach notifications forced by today's disclosure laws, it has become increasingly important for organizations to measure and prove their compliance with regulatory and policy requirements for software and data security. The question for many auditors and managers is: what do I do next?

Headlines reveal seemingly endless examples of companies that have suffered everything from a minor website defacement to millions of identities stolen and data subverted. These exploits weren't caused solely by a "bug", but by implementations that were either improperly designed or coded, opening up confidential data to risk from attack. This not only costs companies millions of dollars specifically related to the attack, but also causes them to face fines and fees from regulatory bodies who find that they are not in compliance with industry regulations.

The Payment Card Industry Data Security Standard (PCI DSS). Sarbanes-Oxley. The Federal Information Security Management Act (FISMA). The EU's Privacy and Electronic Communications Regulations (EC Directive). These regulations all require organizations to assess their security state, create a plan to mitigate the most critical vulnerabilities, and prove progress over time. Many refer to other industry standards such as the OWASP Top 10 or the Common Weakness Enumeration (CWE) as a resource for organizations seeking to prove their compliance. These standards detail the need to analyze applications for both coding errors, including buffer overflows and race conditions, as well as the design flaws such as lack of encryption.

Organizations face, then, a two-pronged challenge: The security need to fix vulnerable code, and the business-level need to prove compliance. However, security and compliance is really not a challenge that is isolated in the development organization. The challenge is to connect the dots and bridge the gap across compliance standards, across an organization's internal policies, down to the developers desktop.

The Ounce solution provides the necessary information to help organizations demonstrate compliance with leading regulations:

• Complete Portfolio Management: Executive dashboard and reporting interface allows relative ranking, comparison, trending and analysis across an entire software portfolio.
• Specific Compliance Reports: The Ounce SmartAudit reporting templates provide executives and managers with specific information to prove compliance with leading standards and regulations such as the OWASP Top 10 and PCI.