I would think this might work, but I - if I ran a software development company - would be very scared about signing that contract... Even if I did everything right, who's to say I might not get blamed? Anyway, insurance would end up being the solution.
What you *should* be scared of is a contract that's silent about security. Courts will have to interpret (make stuff up) to figure out what the two parties intended. I strongly suspect courts will read in terms like "the software shall not have obvious security holes". They will probably rely on documents like the OWASP Top Ten to establish a baseline for trade practice.
Contracts protect both sides. Have the discussion. Check out the OWASP Software Security Contract Annex for a template.(http://www.owasp.org/documentation/legal.html).
--Jeff
----- Original Message ----- From: "Michael Silk" <[EMAIL PROTECTED]> To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> Cc: "Secure Coding Mailing List" <SC-L@securecoding.org> Sent: Wednesday, April 06, 2005 9:40 AM Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?
> Quoting from the article:
> ''You can't really blame the developers,''
>
> I couldn't disagree more with that ...
>
> It's completely the developers fault (and managers). 'Security' isn't
> something that should be thought of as an 'extra' or an 'added bonus'
> in an application. Typically it's just about programming _correctly_!
>
> The article says it's a 'communal' problem (i.e: consumers should
> _ask_ for secure software!). This isn't exactly true, and not really
> fair. Insecure software or secure software can exist without
> consumers. They don't matter. It's all about the programmers. The
> problem is they are allowed to get away with their crappy programming
> habits - and that is the fault of management, not consumers, for
> allowing 'security' to be thought of as something seperate from
> 'programming'.
>
> Consumers can't be punished and blamed, they are just trying to get
> something done - word processing, emailing, whatever. They don't need
> to - nor should. really. - care about lower-level security in the
> applications they buy. The programmers should just get it right, and
> managers need to get a clue about what is acceptable 'programming' and
> what isn't.
>
> Just my opinion, anyway.
>
> -- Michael
>
>
> On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:
>> Greetings++,
>>
>> Another interesting article this morning, this time from >> eSecurityPlanet.
>> (Full disclosure: I'm one of their columnists.) The article, by >> Melissa
>> Bleasdale and available at
>> http://www.esecurityplanet.com/trends/article.php/3495431, is on the
>> general
>> state of application security in today's market. Not a whole lot of >> new
>> material there for SC-L readers, but it's still nice to see the >> software
>> security message getting out to more and more people.
>>
>> Cheers,
>>
>> Ken van Wyk
>> --
>> KRvW Associates, LLC
>> http://www.KRvW.com
>>
>
>
