What are the key components of a software security audit?
Ongoing security auditing and monitoring provide the means for ongoing effective software security assurance practices. Audit review provides an independent assessment and attestation to management’s assurance of an effective system of security vulnerability management, while internal auditing is an important element of the overall system of internal controls. Compliance audits and other information security audits should specifically address management of security vulnerabilities in the source code, and need to include the following elements: • Measurement of vulnerabilities against prescribed standards for security and risk management. • Testing of software applications for the existence of security vulnerabilities using security auditing software. • Management of software security vulnerabilities in the IT system design, development, maintenance, and change management processes. • Management of software security in all outsourced IT systems and programming processes.
