As the author indicates in his preface, this book provides a great deal of useful information for various types of “experienced and novice auditors.” Despite the abundant white space in this large-format book, it is well worth its price for that audience. The book is divided into 17 chapters.
Introduction to Software Development
Risks and Exposures in Software Development
Overview of Software Development Methodology
Overview of Software Development Auditing
Preliminary Audit Planning Process
Types of Software Development Controls
Software Development Control Process
Auditing the Planning Phase
Auditing the Requirements Analysis Phase
Auditing the Design Phase
Auditing the Programming Phase
Auditing the Testing and Training Phases
Auditing the Conversion Phase
Conducting the Postimplementation Review
Non-Traditional Approaches to Software Development
Conclusion
Mini Case Studies in Auditing Software Development
The author’s claim that the book “can be used in undergraduate or graduate courses in information systems auditing,” but not in courses on security, is justified. Unfortunately, the book is not so useful for the computer applications programmers, systems programmers, and others who are in the book’s secondary audience and form the majority of ACM’s constituency. These people will find far too little specific information about desirable controls to benefit significantly from its wealth of useful and accurate information about auditing. Also limiting is the book’s exclusion of material on AS/400, PS/2, and all large systems other than IBM’s MVS. By far the greatest misfortune, however, is the inclusion within the book of so many inaccurate and dangerously misleading statements that correcting them must occupy the bulk of this review.
Inexplicably, some of the book’s starkest misstatements are contradicted within the text. For example, the book implies or explicitly states in a number of places that there is value in requiring users to know more than one secret, that is, password, to get their jobs done, yet elsewhere the text makes it fairly clear that resource-oriented passwords, reverification passwords, and sensitive-function passwords do more harm than good because they are intolerable nuisances to users and inferior ways of accomplishing the functions for which they are intended [1]. A smaller point is that page 164 includes SYS1.UADS in a list of MVS’s authorized program facility libraries, but page 168 properly excludes it and treats it separately. The same page treats “SUPERZAP” accurately, but other references in the text to that program repeat the errors found in other books on auditing.
Some of the text’s errors are fundamental. Page 61 says, “all employees should be required to sign a statement at the time of hiring stating that they will not disclose, . . . retrieve, modify, delete, or destroy sensitive or confidential company-related data or information. . . .”; many employees, of course, will find it impossible to do their jobs without violating that statement. On page 121, the author says that “employees should not divulge their user IDs”; effective use of electronic mail requires that they divulge these always-nonsecret identifiers. On page 90, the 63rd and last “Management Control” listed is “Where practical, maintain adequate segregation of duties”; other authorities would say that this control is the most important of all [2].
Perhaps most dangerous are the errors that may lead to unsafe practices or illusions about degrees of safety. Page 276 contains statements that provide a totally inaccurate and unsupportable view of the relative merits of two access control software products [3]. Page 166 urges the protection of “individual files within a magnetic tape,” but fails to note that such protection is ineffective on the system under discussion. The author urges password encryption more than once, but never mentions the exposure exploited by the Internet worm [4] and first documented over a decade ago [5]. The text correctly argues for auditor involvement in the development of application programs, but never alludes to the traditional counterargument of auditor independence. The omission leaves the student unprepared for any serious discussion of the topic.
Examples of infelicitous wording are not infrequent. We are told on page xiv that “absolute security is unattainable and would be prohibitively expensive”; the concept of pricing the unattainable boggles the mind. On page 160, I read “the use of user exits … may not be used properly.” An almost-adequate glossary is included, but it defines “spoofing” and “virus” incorrectly; the definition given for “virus” applies to “logic bomb” instead. Virus is also used in a different incorrect sense in the text. “Discretionary access control” is defined in a way that no reader can be expected to appreciate, because “mandatory access control” is not defined.
The book’s bibliographic references are limited to “Selected Readings” rather than learned papers, but these include fine works, many from the National Bureau of Standards (now the National Institute of Standards and Technology). The index is adequate but not outstanding.
All in all, auditors apprised of the book’s errors may find its accurate material well worth its cost.