Software Security Assurance Guide

EXECUTIVE OVERVIEW

Internet-facing systems represent significant opportunity as well as risk to any organization using them. They help meet customer and competitive needs, but they also provide a primary avenue for attackers to evade protective system barriers. Once an attack has exploited a vulnerability in a Web application, the application’s server loses its reliability, subjects data to compromise or destruction, and can become a base for launching attacks against other systems within the organization’s network or against other Internet systems.

This guide provides information needed to identify, measure, remediate, and manage specific security vulnerabilities in online systems. It identifies the source of the problem, recommends specific techniques to assess the extent and severity of the problem, and explains how the control environment can be structured to manage software security risks efficiently within the organization’s risk appetite.

Software security is also a significant element of compliance with the laws, regulations, and policies that govern an organization and its data. Weak software security can represent, for example, a significant control deficiency in terms of compliance with the Sarbanes-Oxley Act; potentially compromising the reliability of financial information and reporting. The appendixes of this guide provide references to example laws and regulations related to information security, and crossreference sources of guidance for assuring effective compliance practices.

Many positions within an organization have responsibilities for ensuring the security of online applications – from the programmer writing the source code all the way through the audit committee of the board that must assess the reliability of assurance regarding information reliability and security. As audit represents an essential element for controls assurance, this guide also provides guidance for audits of software security vulnerability management as well as an example audit program that can be modified to fit an organization’s specific needs.

Many organizations and individuals participated in the global project team that helped develop and review this guide. We are grateful for their support and their professional commitment to relevance, accuracy, and the efficient delivery of information we believe the guide provides. We are also grateful to Ounce Labs for providing the sponsorship necessary to produce the guide. As the author, I welcome questions, comments, or any input on the guide and its usability. I hope you will find the guide highly usable by the many people in your organization that have a role in providing software security assurance.

Charles H. Le Grand
CHL Global Associates