145:
hand and to be able to read programming code and then on the other hand to also have knowledge of encryption procedures, many users even trust the shortest statements of formal confirmation. Individual commitment as an auditor, e.g. for quality, scale and effectiveness, is thus to be assessed reflexively for yourself and to be documented within the audit.
86:(who might be a manager in the audited organization, a customer or user representative of the audited organization, or a third party), decides upon the need for an audit, establishes its purpose and scope, specifies the evaluation criteria, identifies the audit personnel, decides what follow-up actions will be required, and distributes the audit report.
187:
Applications that allow both, messaging to offline and online contacts, so considering chat and e-mail in one application - as it is also the case with GoldBug - should be tested with high priority (criterion of presence chats in addition to the e-mail function). The auditor should also highlight the
275:
References to further core audit principles, in: Adams, David / Maier, Ann-Kathrin (2016): BIG SEVEN Study, open source crypto-messengers to be compared - or: Comprehensive
Confidentiality Review & Audit of GoldBug, Encrypting E-Mail-Client & Secure Instant Messenger, Descriptions, tests and
137:
It requires an explicit reference in the audit of encrypted programs, how the handling of open source has to be understood. E.g. programs, offering an open source application, but not considering the IM server as open source, have to be regarded as critical. An auditor should take an own position to
144:
Audit processes should be oriented to certain minimum standard. The recent audit processes of encrypting software often vary greatly in quality, in the scope and effectiveness and also experience in the media reception often differing perceptions. Because of the need of special knowledge on the one
130:
Only when the processes and programming is continuous inspected in regard to their potential susceptibility to faults and weaknesses, but as well with regard to the continuation of the analysis of the found strengths, or by comparative functional analysis with similar applications an updated frame
174:
A reader should not rely solely on the results of one review, but also judge according to a loop of a management system (e.g. PDCA, see above), to ensure, that the development team or the reviewer was and is prepared to carry out further analysis, and also in the development and review process is
93:(who must be someone "free from bias and influence that could reduce his ability to make independent, objective evaluations") is responsible for administrative tasks such as preparing the audit plan and assembling and managing the audit team, and for ensuring that the audit meets its objectives.
51:
Std. 1028 offers a list of 32 "examples of software products subject to audit", including documentary products such as various sorts of plan, contracts, specifications, designs, procedures, standards, and reports, but also non-documentary products such as data, test data, and deliverable media.
163:
Each audit should describe the findings in detail within the context and also highlight progress and development needs constructively. An auditor is not the parent of the program, but serves in a role of a mentor if the auditor is regarded as part of a PDCA learning circle
156:
Further transparency is needed to clarify whether the software has been developed commercially and whether the audit was funded commercially (paid Audit). It makes a difference whether it is a private hobby / community project or whether a commercial company is behind
78:"The purpose of a software audit is to provide an independent evaluation of conformance of software products and processes to applicable regulations, standards, guidelines, plans, and procedures". The following roles are recommended:
276:
analysis reviews of 20 functions of the application GoldBug based on the essential fields and methods of evaluation of the 8 major international audit manuals for IT security investigations including 38 figures and 87 tables., URL:
43:
organization conduct "An independent examination of a software product, software process, or set of software processes to assess compliance with specifications, standards, contractual agreements, or other criteria".
114:
provides a liaison to the auditors, and provides all information requested by the auditors. When the audit is completed, the audited organization should implement corrective actions and recommendations.
107:(who must be, like the Lead Auditor, free from bias) examine products defined in the audit plan, document their observations, and recommend corrective actions. (There may be only a single auditor.)
168:= Plan-Do-Check-Act). There should be next to the description of the detected vulnerabilities also a description of the innovative opportunities and the development of the potentials.
204:
Parts of
Software audit could be done using static analysis tools that analyze application code and score its conformance with standards, guidelines, best practices. From the
48:
63:
in that they are conducted by personnel external to, and independent of, the software development organization, and are concerned with
17:
205:
175:
open to learnings and to consider notes of others. A list of references should be accompanied in each case of an audit.
70:
The term "software audit review" is adopted here to designate the form of software audit described in IEEE Std. 1028.
196:
describes - beyond the methods of technical analysis - particularly core values, that should be taken into account
181:
Further a check should be done, whether there are manuals and technical documentations, and, if these are expanded.
67:
of products or processes, rather than with their technical content, technical quality, or managerial implications.
208:
some are covering a very large spectrum from code to architecture review, and could be use for benchmarking.
60:
296:
280:- English / German Language, Version 1.1, 305 pages, June 2016 (ISBN: DNB 110368003X - 2016B14779)
277:
64:
56:
47:"Software product" mostly, but not exclusively, refers to some kind of technical document.
40:
100:
documents anomalies, action items, decisions, and recommendations made by the audit team.
8:
138:
the paradigm of the need of the open source nature within cryptologic applications.
36:
188:
references to innovations and underpin further research and development needs.
290:
241:
242:"IEEE 1028-2008 - IEEE Standard for Software Reviews and Audits"
278:
https://sf.net/projects/goldbug/files/bigseven-crypto-audit.pdf
123:
The following principles of an audit should find a reflection:
246:
224:
165:
39:
in which one or more auditors who are not members of the
161:Scientific referencing of learning perspectives:
118:
288:
194:list of audit principles for crypto applications
179:Inclusion of user manuals & documentation:
73:
14:
289:
206:List of tools for static code analysis
185:Identify references to innovations:
24:
229:IEEE Standard for Software Reviews
55:Software audits are distinct from
25:
308:
269:
266:IEEE Std. 10281997, clause 8.1
260:
234:
218:
119:Principles of a Software Audit
13:
1:
211:
7:
74:Objectives and participants
61:software management reviews
10:
313:
18:Software reviews and audit
199:
154:The financial context:
172:Literature-inclusion:
57:software peer reviews
29:software audit review
112:Audited Organization
41:software development
135:Source openness:
131:can be continued.
16:(Redirected from
304:
281:
273:
267:
264:
258:
257:
255:
254:
238:
232:
227:Std. 1028-1997,
222:
21:
312:
311:
307:
306:
305:
303:
302:
301:
297:Software review
287:
286:
285:
284:
274:
270:
265:
261:
252:
250:
240:
239:
235:
223:
219:
214:
202:
149:
142:Elaborateness:
121:
76:
37:software review
35:, is a type of
23:
22:
15:
12:
11:
5:
310:
300:
299:
283:
282:
268:
259:
233:
216:
215:
213:
210:
201:
198:
190:
189:
182:
176:
169:
158:
147:
146:
139:
132:
120:
117:
116:
115:
108:
101:
94:
87:
75:
72:
33:software audit
9:
6:
4:
3:
2:
309:
298:
295:
294:
292:
279:
272:
263:
249:
248:
243:
237:
230:
226:
221:
217:
209:
207:
197:
195:
186:
183:
180:
177:
173:
170:
167:
162:
159:
155:
152:
151:
150:
143:
140:
136:
133:
129:
126:
125:
124:
113:
109:
106:
102:
99:
95:
92:
88:
85:
81:
80:
79:
71:
68:
66:
62:
58:
53:
50:
45:
42:
38:
34:
30:
19:
271:
262:
251:. Retrieved
245:
236:
231:, clause 3.2
228:
220:
203:
193:
191:
184:
178:
171:
160:
153:
148:
141:
134:
128:Timeliness:
127:
122:
111:
104:
97:
91:Lead Auditor
90:
83:
77:
69:
54:
46:
32:
28:
26:
253:2019-03-12
212:References
65:compliance
84:Initiator
291:Category
105:Auditors
98:Recorder
200:Tools
192:This
31:, or
247:IEEE
225:IEEE
166:PDCA
110:The
103:The
96:The
89:The
82:The
59:and
49:IEEE
157:it.
293::
244:.
27:A
256:.
164:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.