SOURCE: Ounce Labs

September 19, 2005 10:10 ET

IT Audit Veteran Offers Peer-Reviewed Software Security Assurance Framework

Hundreds of Industry Professionals Offer Input and Feedback on Audit Guidance Sponsored by Ounce Labs

LONGWOOD, FL and WALTHAM, MA -- (MARKET WIRE) -- September 19, 2005 -- CHL Global Associates, experts in IT audit and risk management, and Ounce Labs, the leader in software security assurance, today announce the public release of Software Security Assurance -- A Framework for Software Vulnerability Management and Audit. Mapped to relevant industry regulations and standards, including Sarbanes-Oxley, ISO 17799, COBIT, and COSO* controls, the Framework offers chief risk and compliance officers, audit teams, and security professionals guidance on effective software risk management controls. In the wake of increasingly frequent targeted attacks and massive identity thefts, the document fills in gaps in enterprise audit programs and practices, which generally do not account for measuring and addressing software risk.

Charles Le Grand, primary author of the Framework, has been a professional auditor for over 30 years and is the CEO and founder of CHL Global Associates. He previously directed The Institute of Internal Auditors Research Foundation, served as IIA's CIO, and served in advisory roles for organizations such as the board of the Partnership for Critical Infrastructure Security, the U.S. President's National Infrastructure Advisory Council, and the American Bar Association's Information Security Committee.

"The industry largely understands the responsibilities and procedures of IT Audit at the network level, but there is still a lot of uncertainty about what reasonable controls should be in place to assure software security," said Le Grand. "In some cases, not properly auditing for specific security mechanisms and policies may constitute negligence, so we created this framework as a step-by-step guide that organizations can use to effectively audit their software risk management programs."

The peer-reviewed Framework offers detailed audit checklists and defines the software security roles for all levels of management and technical responsibility across the enterprise. Research and development of the document was sponsored by Ounce Labs, which offers Software Security Assurance products for commercial and federal markets. By analyzing applications at the source code itself, Ounce Labs' products provide accurate, automated software security assessments with metrics, trend reporting, and documentation of controls necessary to thoroughly audit software systems.

In Forrester Research's July 12th report, Seven Habits of Highly Effective Compliance Programs, analyst Michael Rasmussen explains the benefit of such automated tools, stating, "Firms should regularly monitor and audit controls through a manual or automated process that validates that the control is in place and operating effectively." The report goes on to say, "In ongoing control management, specifically on IT systems, many organizations are looking toward automated control monitoring and enforcement to ease the burden of control validation."

"Our products allow an effective process for conducting software audits and informed decision making to mitigate enterprise risk," said Jack Danahy, CEO of Ounce Labs. "Expanding regulations, targeted attacks, and media headlines over the past several months continue to demonstrate the need for better software security assurance and audit, and the tremendous work done by Charlie and his colleagues helps companies understand exactly what that entails."

Software Security Assurance -- A Framework for Software Vulnerability Management and Audit is available for free online at:

*Control Objectives for Information and related Technology (COBIT) and Committee of Sponsoring Organizations (COSO)

CHL Global Associates

CHL Global Associates provides information security and reliability services in association with the best available technology management, security, control, risk management, auditing, assurance, and governance advisers and experts. With over 30 years of experience, CEO and founder Charles Le Grand, CISA, CIA, has produced board-level guidance on information security for the U.S. Critical Infrastructure Assurance Office (CIAO, now part of the Department of Homeland Security), and directed the work of The Institute of Internal Auditors Research Foundation that produced the landmark Systems Auditability and Control (SAC) reports. More information can be found at

Ounce Labs, Inc.

Ounce Labs™, the leader in software security assurance, delivers products that allow customers to verify that software meets their defined security requirements. Ounce Labs' enterprise-level source code vulnerability analysis provides reliable metrics necessary to manage software risk, enforce security policies, enhance audit capabilities, and track compliance efforts. Based on patents-pending Contextual Analysis technology, Ounce Labs' products also pinpoint specific software design errors and coding flaws to simplify remediation during any phase of the development lifecycle. Founded in 2002, Ounce Labs is located in Waltham, Massachusetts. For more information, please visit

Contact Information

    Chris McClean
    Ounce Labs
    781.547.7031 (o)
    617.571.8945 (m)
    Email Contact