May 2006

Establishing Controls for Software Security Assurance

Performing effective software security audits and implementing security best practices can help companies prevent serious risks to their IT systems and data.

Charles H. Le Grand, CIA, CISA
Managing Principal
TechPar Group
and Chief Executive Officer
CHL Global Associates

Many auditors have a workable understanding of the different network security controls used to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software. However, recent targeted attacks and widely publicized security breaches all point to software vulnerabilities as a greater, but less understood, source of risk. These security vulnerabilities are at the center of many of the major data breaches that resulted in the theft of more than 50 million customer records in the first half of 2005 alone. In April of last year, for instance, clothing retailer Polo Ralph Lauren blamed a software glitch for an incident that compromised the identities of 180,000 customers, and warehouse retail store BJ’s Wholesale Club set aside US $16 million to cover possible losses after a software breach targeted 40,000 consumers.

Companies are not the only ones affected by software vulnerabilities. Last year, an audit group came under fire in the largest identity theft case to date, in which approximately 40 million American Express, MasterCard, and VISA customers had their personal information compromised. The credit card processing company from which the information was stolen, CardSystems, testified before the U.S. Congress in June 2005 that blame should fall on security auditors who improperly certified the processing systems as compliant with approved VISA standards. Unfortunately, research data shows software vulnerabilities will continue to plague organizations in the future. According to a December 2005 report by IT research firm Gartner, 80 percent of companies are expected to suffer an application security incident by 2009.

As exemplified here, vulnerable software clearly poses serious risks to successful business operations. As a result, it is essential for internal auditors to determine whether existing controls effectively identify and address flaws that could leave critical systems open to attacks and recommend that organizations incorporate established best practices as part of their software security efforts.


As software security risks continue to grow and gain more attention among media, legislators, and law enforcement agencies, it is important for companies and auditors to determine which best practices will provide the most effective software security controls and assurance. An example of these best practices is the Software Security Audit Framework developed by information security services company CHL Global Associates and sponsored by Ounce Labs, a software security assurance company.

Software security assurance is an important management responsibility. Because vulnerabilities represent significant control deficiencies in terms of secure and reliable information, processes, and reporting, software security should fall within the direct purview of the chief executive officer (CEO), chief financial officer (CFO), and the board’s audit committee. Vulnerabilities also may result in the disclosure of personal and other sensitive information, thus impacting the roles and responsibilities of management positions throughout the enterprise. Consequently, the two most important priorities for executives to consider and balance are assurance and a control's cost and value:

  • Assurance. Software security assurance is the process driven primarily by management to ensure effective controls are defined and implemented to protect critical data and operations. Independent assurance by internal or external auditors should attest that these controls exist in agreement with appropriate documentation.
  • Control cost and value. The costs of software vulnerability management must be balanced against expected losses from exploits of control weaknesses. Although it may be difficult to quantify expected losses from vulnerability exploits, control costs must be balanced against values, including the protection of customer information, business continuity practices, legal repercussions, and the organization’s reputation.

Besides assurance and a control's cost and value, establishing the proper tone at the top allows the organization to develop the necessary IT security infrastructure to safeguard IT assets, including software systems and data. Once software security assurance and each control's cost and value are established, internal auditors can review the company's overall software security environment. The four components of effective governance and software management risk that should be audited in all information systems are:

  1. Risk assessments. These are necessary to determine the extent of vulnerabilities in all relevant systems and estimate the probability of losses that would be incurred from successful attacks.
  2. Vulnerability management. Managing threats allows auditors to identify specific security vulnerabilities that introduce risk, while enabling companies to take appropriate action to eliminate or address that risk.
  3. Security standardization for development and deployment. This allows companies to prevent the introduction of security vulnerabilities into critical systems. In other words, as programmers write code, they should make sure the code is secure by using security assessment tools and techniques to prevent, detect, and correct the introduction of vulnerabilities within the code.
  4. Assessment tools. The use of effective security assessment tools and techniques within the organization enables auditors to provide ongoing reviews and monitoring of risk levels so they can remain within an acceptable, quantifiable threshold.

Auditing these four elements will enable auditors to recommend the implementation of effective software security management policies and procedures, as well as ensure that all practices involving the development, implementation, and maintenance of online systems are assessed frequently maintain desired levels of software security.


Any enterprisewide program for managing software risk requires executive-level sponsorship and leadership. Although many companies are quick to assign security responsibilities to IT staff, a top-down approach is a far more effective way to ensure budget and other resources are allocated properly among business stakeholders.

Below is information on the top four executive-level controls auditors should keep in mind. These controls — policies, assessments and monitoring, assurance, and audits — are fundamental to an effective software assurance program across the organization’s IT, audit, risk, and development functions, as well as any outsourcing vendors.

When examining an organization's policies, auditors must determine whether:

  • Information security policies, procedures, and standards specifically address security vulnerabilities in Internet-facing applications.
  • System development and maintenance processes and standards allow companies to prevent the introduction of security vulnerabilities in new or changed systems and programs.
  • Security standards for system design and program code apply equally to outsourced vendors, as well as internal programmers and system developers.

Security Assessments and Auditing
Internal auditors should identify the following during security assessments and monitoring activities:

  • Intrusion protection systems identify possible threats to Internet-facing applications and attacks in real time.
  • Risk management efforts incorporate assessments of vulnerabilities in Internet-facing systems, as well as a cost and benefit evaluation of the system's control effectiveness.
  • Security threats to software supporting Internet-facing applications are measured routinely and are within the acceptable level of risk for such systems.
  • Internet-facing applications are assessed on their ability to enforce privacy requirements for personally identifiable and other sensitive information.

Audits of assurance efforts should ensure:

  • Management responsibilities are communicated properly, including management efforts to control software security vulnerabilities.
  • Management provides metrics and other information to the CEO, CFO, and board audit committee concerning the effectiveness of software security controls related to legal and regulatory compliance.

Finally, internal auditors should ensure compliance audits and other audits of information security specifically address the management of source code vulnerabilities. These audits should include:

  • Assessing threats against prescribed standards for security and risk management.
  • Testing of software applications for the existence of security vulnerabilities.
  • Steps that identify the proper management of software security vulnerabilities during the system’s design, development, maintenance, and change management phases.
  • Recommendations that identify how to manage software security in all outsourced systems and programming processes.

To maintain reliable operations, protect sensitive data, and comply with regulations, companies must establish a process for managing and auditing software risks. Ensuring these executive-level controls are implemented will help organizations improve the effectiveness of software assurance programs across the entire IT landscape.


As the threats associated with maintaining online systems and sensitive information continue to increase, managers and auditors should make sure companywide software security efforts parallel their liability risks. Given the myriad of tools, techniques, and guidance available, companies should be able to find plenty of information to manage software security risks more effectively and efficiently.

Executives also play an important role in the security arena, helping organizations identify the different threats to software systems, as well as the standards, processes, and technologies necessary to answer critical software security assurance questions. The result will be a repeatable, consistent, and measurable process that addresses internal and external threats to corporate operations, data, and reputation.

For more information, auditors may consult the Software Security Assurance Framework, which details the processes, stakeholders, and metrics required for an enterprisewide approach to software security assurance. The framework also provides in-depth audit guidance and an example audit program and aligns different control objectives with key regulatory requirements. To access the framework, visit the Ounce Labs' Web site,

Charles H. Le Grand, CIA, CISA, is the CEO of CHL Global Associates and has more than 30 years of experience dealing with security, compliance, risk, assurance, and governance matters in the IT field. Prior to forming CHL Global Associates and joining TechPar Group as their managing principal, Le Grand served as The IIA's director of technology practices, where he initiated the organization's Global Technology Audit Guide series. Le Grand also has provided expert testimony to the U.S. President’s Commission on Critical Infrastructure Protection and has served on the board of directors of the Partnership for Critical Infrastructure Security and the Center for Continuous Auditing, among other organizations.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO