CODE AUDIT FAQ'S:


Why is it necessary to audit applications for security vulnerabilities?

Auditing applications for source code security vulnerabilities is the most important step towards overall enterprise security. Applications, especially Web applications, can expose vital data to the World Wide Web, and security vulnerabilities from inadequately designed or written code may allow attackers to threaten privacy and steal data - for example, gain access to confidential information, modify a database or other system, or cause the application to crash or become unstable.

Application source code audit is necessary not only because of the significant operational risk posed by vulnerable software, but because it is mandated by the regulations and policies that govern data privacy, integrity, and good corporate governance. Regulations such as PCI, Sarbanes-Oxley and FISMA, and control frameworks such as COBIT and COSO are driving software risk analysis and software security assurance activities to the forefront of business requirements and best practices.

When in the software development life cycle should source code be audited?

According to John Pescatore of Gartner, "Removing only 50 percent of software vulnerabilities before use will reduce patch management and incident response costs by 75 percent." Auditing application source code for security defects starting early in the development lifecycle results in significant cost savings.

What are common techniques for conducting source code audits?

The most common code audit techniques include manual source code review, application penetration testing, and automated source code analysis.

  • Manual code review can identify vulnerabilities as well as functional flaws, but most companies do not have the skilled security resources or time available within the software lifecycle that a manual code review requires, and therefore many companies who decide to perform manual code reviews can only analyze a small portion of their applications.
  • Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application.
  • Automated source code analysis tools make the process of manual code review more efficient, affordable, and achievable. This technique of code audit results in significant reduction of analysis time, actionable metrics, significant cost savings, and can be integrated into all points of the development lifecycle.

To learn more about these code audit technologies, please visit www.ouncelabs.com/dozen.

Which technique is most effective for auditing source code security?

While manual code analysis, application penetration testing and automated source code analysis tools each present their own set of benefits and shortcomings, using automated source code analysis as the foundational tool, supplemented by other ancillary options such as patch management, penetration testing, and manual source code review to conduct application code audit can help organizations to effectively locate, understand and eliminate coding errors, configuration issues and design flaws.”

How should code audits of outsourced applications be conducted?

Organizations can ensure security of their outsourced applications by requiring a security audit of the source code as part of the outsourcing contract. Ounce Labs has published sample contract language for software development that sets specific security standards and ensures that outsourced code is developed with security from the ground up, and is validated prior to acceptance. To download a copy of this contract language, please visit www.ouncelabs.com/assurance.

For more information about building security into outsourced development projects, click here.

Back to Top