practices and sensible standards [1]. A program may be correct and robust without being trustworthy. Evidence of a program's trustworthiness includes the presence of good programming practices and sensible programming standards. Various findings from research in Computer Security as well as research in Software Engineering have demonstrated that a lack of good programming practices and sensible programming standards may result in programs which either contain software errors or contain coding structures which are complex in nature. This same research has shown that the existence of errors or complexities are the preconditions which permit the compromise or security violation of application software or system software. This means that an effective audit of many application systems requires the auditor to perform compliance compliance testing on the software itself to measure the degree to which the organization's programming practices (e.g. structured programming) and coding standards are effective in producing software which has integrity. 2. RESEARCH RESULTS in which the results of the above mentioned There are two major areas research are of immediate value: 1. 2. Systems for classifying software errors (see paragraph 2.1). 2.1 ERROR CLASSIFICATION SYSTEMS Three different groups which have had extensive experience in the security evaluation of operating systems have each developed classification systems for programming errors which are found in operating systems [2,3,4,5,6]. Other groups have studied application system errors [15]. Whereas the classification systems differ somewhat, there are many points of similarity. One such point is the belief that the number of error classes is finite, and less than 20 in number. At least one group [2,3] has successfully transferred error classification methodology to application systems. error classification scheme identifies 7 error categories: and applied the This particular The first error classification, Incomplete validation of parameters, can, for example, be expanded to provide a set of practical control guidelines: 2.1.1. For each prior to use. module, all incoming parameters must be validated Software quality is composed of a number of factors [14]. One factor that relates to integrity is complexity. A number of statistical calculations have been developed which assist in measuring the complexity of software [7,8]. Complexity measurements can point out that the original specification was bad, that the software contains sections of coding which will most likely cause problems during the life cycle of the software, and serve to measure the work product of the programming staff. Measurements of program complexity include, but are not limited to: A. B. C. Complexity coeficient Ratio of unique operands to unique operators Ratio of transfer statements to non-transfer statements Within a program, flow-of-control has to do with the number of GOTOS, IFs, CALLS, and other transfer of control statements or instructions. If, even after structured programming constructs have been applied, the pattern of the flow-of-control is such that it is highly interwoven, then that software is said to be complex [9,10,11,12]. Measurements of flow-of-control complexity include, but are not limited to: A. B. C. Ratio of backward jumps to total instructions The number of interwoven pathways (i.e. knots). 3. THE ROLE OF THE AUDITOR It is often the case that the EDP Auditor or EDP Security Auditor does not have a computer background. As such, it will be difficult for this person to personally examine the examine the software or to calculate the statistics. The preceding discussion will insure that the examiner is aware of what the data processing shop should be doing even if the examiner does not know how to do it. As always, the role of the examiner is threefold: 1. To insure that appropriate controls exist. 2. To insure that those controls are in place. 3. To seek evidence that the controls are functioning. 4. REFERENCES Z.G., McKenzie, R.G., Editors. "Audit and Evaluation of Computer Security", NBS Special publication 500-19, October 1977. [1] Ruthberg, [2] Abbott, R.P. et al., "Security Analysis and Enhancements of Computer Operating Systems", NBS, NBSIR 76-1041, April 1976. [3] Konigsford, W.L., "A Taxonomy of Operating-System Security Flaws", Lawrence Livermore Laboratory, UCID-17422, November 1, 1976. Systems", [4] Branstad, D.K., "Privacy and Protection in Operating USC [8] Gilb, T., "Software Metrics", Cambridge, MA, Winthrop, 1977. [9] Ramamoorthy, C.V. and Ho, S.F., "Testing Large Software with [10] Woodward, M.R., et al, "A Measure of Control Flow Complexity in Program Text", Trans. Soft. Eng., Vol. SE-5, No.1, January 1979. [11] Wetherell, C. and Shannon, A., "Tidy Drawing of Trees", Trans. Soft. Eng., Vol. SE-5, No. 5, September 1979. [12] Anderson, S.E., and Short, G.E., "A study of Automated Aids for Secure Systems", IBM Data Security and Data Processing, G320-1375, 1974 [13] "Second U.S. Army Software Symposium", Williamsburg, VA, October 1978. [14] McCall, J.A., et al, "Factors in Software Quality", RADC-TR-77-369, I (of three), Final TechnicAl Report, November 1977. Vol. [15] Boehm, B.W. et al, "Some Experience with Automated Aids to the Software", IEEE Tran. On Software Eng., Design of Large-Scale Reliable [16] "Proceedings of the Software Quality and Assurance Workshop", A joint issue by ACM-Performance Evaluation Review (Vol. 7, Nos. 3 and 4) and ACM-Software Engineering Notes, (Vol. 3, No 5), November 1978. [17] Naughton, J.L., et al, "Structured Programming Series", Vol. XIII, IBM Corporation, Gaithersburg, MD, July 1975. [18] Glore, J.B., "Software Acquisition Management Guidebook: Life Cycle Events", The Mitre Corporation, Bedford, MA, February 1977. [19] Mair, W.C., Wood, D.R., Davis, K.W., "Computer Control and Audit", The Institute of Internal Auditors, 1978. Computers", The [20] Jenkins, B., and Pinkney, A, "An Audit Approach to Institute of Chartered Accountants in England and Wales, 1978. [21] The EDP Auditor, Vol. 7 No. 2, Summer 1979. Marvin Schaefer, George I. Davida, (Frederick Palmer absent). Hart Will, Frank Manola, Note: Titles and addresses of attendees can be found in Appendix B. EDITOR'S NOTES HART J. WILL Dr. Hart J. Will has been with the Faculty of Commerce and Business Administration at the University of British Columbia since 1969, first as Assistant Professor and currently as Associate Professor of Accounting and Management Information Systems. His research and teaching interests lie in: MIS analysis, design, audit, control and security; data and model base management and administration; audit software in general and ACL (Audit Command Language) in particular. He has worked, consulted, taught and published extensively in Europe and North America. His activities include: Visiting Research Professor at Gesellschaft fuer Mathematik and Datenverarbeitung (GMD) in Germany, 1974-75; Chairman of U.E.C. International Symposium on Computer Auditing: Legal and Technical Issues, June 18-20, 1975, and Editor of Legal and Technical Issues of Computer Auditing (St. Augustin: GMD and UEC, 1975), the conference proceedings; Associate Editor of INFOR 1975-78; Vice President and Trustee of the EDP Auditors Foundation for Education and Research; Director of Publications and Editor The EDP Auditor since 1978. His academic degrees are: Diplom-Kaufmann (Free University of Berlin) and Ph.D. (University of Illinois at Urbana-Champaign), and his professional designations are RIA and CDPA. THE CHARGE TO THE GROUP Data base management systems can serve as an important element in the implementation of procedures and safeguards for the protection of information. This session was asked to identify the various vulnerabilities of a data base and inherent in the use of the data base management system. The controls that can be employed to counter the identified vulnerabilities were to be addressed. [See PART I, Section 2 for the complete charge given to this group.] The report that follows is a consensus view of this session. |