Auditoría de Código Fuente Utilizando la Norma ISO-19011 y el Estándar IEEE-1028

Abstract

The following degree project was carried out for the Directorate of Information and Process Management (DIPM), which is a support entity of the National Polytechnic School for the fulfillment of its institutional mission, the DIPM has as main functions the administration of technological resources and services, in addition to quality management of both strategic and support processes of the EPN. The DIPM has developed the Integrated Information System of the EPN to manage all the information concerning the institution through this platform.

For which, it must be ensured that the integrated system complies with the best practices of secure application development, in order to avoid possible security gaps and guarantee the availability of the system, in order to have this declaration of conformity, a process of source code audit to the SAEW module of the EPN Integrated Information System.

To execute the source code audit of the SAEW module of the SII - EPN, six processes were defined that guide its execution, taking as reference the ISO 19011 standard and the IEEE 1028 standard, the processes defined are the following: Establishment of the plan of audit, Risk assessment and determination, Audit planning, Audit initiation, Preparation of audit resources, Examination; for each process its activities and executors are defined.

At the end of the audit, an audit report was delivered detailing the findings, evidence and recommendations for improvement on the observations made, with the purpose that they are taken into account and executed to guarantee that the development of the application is aligned with the best practices of secure application development.

KEY WORDS: source code audit, IEEE 1028, ISO 19011, frame of reference, best practices.