The August, 2008 volume of Control Journal (vol 4) contains an article 'Secure Software Development - The Role of IT Audit' (B L Ciaramitaro and J Livermore).  Essentially this article complains about:

  • the lack of software construction security standards,
  • the disconnect between software developers and security specialists,
  • the failure of tertiary education to teach computer science students how to write secure software,
  • and the fact that IT audit is failing to address security controls in software development.

All of this seems to be true and as a consequence businesses are spending billions of dollars each year recovering from security breaches due to insecure software.

A challenge to those developing IT audit programmes anywhere where software is being developed, is to proactively address this shortfall by introducing sofware programming security audits. The 'Secure Programming Standards Methodology Manual' (SPSMM at http://www.isecom.info/mirror/spsmm.0.5.1.en.pdf) provides a good insight into the kind of software vulnerabilities that exist and the kind of security techniques needed to deal with them.

As with most IT auditing, which can be conducted at several levels, the key here is to ensure that:

  • there are security policies that address software construction,
  • the contents effectively refer to techniques such as those described in the SPSMM,
  • there are management and construction processes applying those policies (such as peer reviews and testing),
  • and that there is good evidence that these processes are working.