SOFTWARE CODE & SECURITY AUDIT
Three Critical Kinds of Software Audit
There are many ways to “audit” a software application. Indeed the most basic kinds of software audit examine how the software is functionally configured, integrated or utilized within an organization. This kind of review process can be completed either by internal IT, an outside firm or an independent solution provider – typically as a first step in a bigger development project. However the stakes are much higher in three other classes of software audit – with the first type often instilling confidence and the other two, anxiety.
Software Quality Assurance Audit - The first kind of software audit is part of the software quality assurance (QA) process. The objective of a QA audit is simple – to improve the software. Everything is fair game in a software review – including code, processes, report output, data, test data and media - and anyone close to the software development organization may be asked to conduct the software QA audit. The goal is to assess technical quality, form and function with the aim of improving aspects such as ease-of use, reliability, security and performance.
Software Compliance Audit – The second kind of software audit, the type that can produce anxiety, measures software’s level of compliance with regulatory mandates. Compliance audits are always conducted by a body outside of the company such as an industry watchdog or government regulator. In a compliance audit, an organization is obligated to let the auditor review their software applications for compliance with set specifications, standards, codes, controls and mandated procedures. These are completed often to continually recertify the software is compliant, typically on an annual basis.
Software Licensing Audit – Finally, software can be audited as part of Software Asset Management or Risk Management practices to determine where the software is distributed and how it is used. A license audit may be required to impose greater controls or find cost savings. The audit may seek to enforce software copyright protections. It can be mandated by the courts as part of a legal dispute. It can be ordered by risk managers who seek to determine the organization’s level of exposure from continued use of the software.
The Who, What and Why of Software Audits: Tools, Teams and How to Prepare
Every kind of software audit essentially seeks to understand the same things. What is the true purpose of the software and its value to the organization? How does it perform, weighed against necessary risk? Likewise, most software audits assign similar roles to participants and rely on technological tools to aid examination.
Software Audit Team – It takes a team to complete a software audit, and it requires the active participation of the organization. The internal Sponsor or Initiator establishes the need for the software audit, the proper participants, their purpose and scope, evaluation criteria and reporting mechanisms. The Lead Auditor is typically an outside examiner free from bias and influence who can make objective evaluations. This person leads the independent auditing team that actually conducts the software review according to audit objectives. Finally, the person responsible for administrative tasks such as documenting action items, decisions, recommendations and reports is called the Recorder. When the software audit is completed, the audited organization implements corrective actions and recommendations.
Software Audit Tools – Selecting the right tool for the job cannot be understated. Different software audit tools will generate different views of an organization’s applications and architecture. Make sure that the audit team includes an expert at using the tool of choice, and that it will return sufficient data to determine appropriate actions. For example, software’s compliance with application security can be audited using a variety of static analysis and dynamic analysis tools that analyze an application and score its conformance with security standards, guidelines and best practices. Lastly, the software auditing tool should report its findings as part of a benchmarking process for future audits by the audit team.
Prepare for a Software Audit – Chances are most IT organizations will be subject to some type of software audit. The key to surviving the process is organization. For companies that are unprepared, any software audit can become a painful, lengthy exercise requiring countless man-hours. Budgeting for potential audits in advance will avoid surprise expenses that could impact profitability. As examples: annual software compliance audits are a common occurrence in highly regulated industries such as finance and healthcare. Companies undergoing mergers or acquisitions should expect software license audit requests from vendors and suppliers. Software development teams should plan on application security testing as part of their standard QA process. Organizations that are well prepared can not only survive a software audit but improve the quality, compliance and utilization of their software as a result.