The OWASP Legal project took a crack at
this: http://www.owasp.org/index.php/Category:OWASP_Legal_Project
This project developed a strawman Secure
Software Development Contract annex which is available at: http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
This project is led by Jeff Williams of
Aspect Security.
-Dave
Dave Wichers
COO, Aspect Security
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT)
Sent: Friday, June 09, 2006 12:10
PM
To: Secure Mailing List
Subject: RE: [SC-L] RE: Comparing
Scanning Tools
I think I should have been more specific
in my first post. I should have phrased it as I have yet to find a large
enterprise whose primary business isn't software or technology that has made a
significant investment in such tools.
Likewise, a lot of large enteprrises are
shifting away from building inhouse to either outsourcing and/or buying which
means that secure coding practices should also be enforced via procurement
agreements. Has anyone here ran across contract clauses that assist in this
regard?
-----Original Message-----
From: Gunnar Peterson
[mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 8:48
AM
To: Brian Chess; Secure Mailing
List; McGovern, James F (HTSC, IT)
Subject: Re: [SC-L] RE: Comparing
Scanning Tools
Right, because their customers (are
starting to) demand more secure code from their technology. In the enterprise
space the financial, insurance, healthcare companies who routinely lose their
customer’s data and provide their customers with vulnerability-laden apps
have not yet seen the same amount of customer demand for this, but 84 million
public lost records later ( http://www.privacyrights.org/ar/ChronDataBreaches.htm)
this may begin to change.
-gp
On 6/9/06 1:45 AM, "Brian Chess" <[EMAIL PROTECTED]>
wrote:
McGovern, James F wrote:
> I have yet to find a large enterprise that has made a significant
investment in such tools.
I’ll give you pointers to two. They’re two of the three
largest software companies in the world.
http://news.com.com/2100-1002_3-5220488.html
http://news.zdnet.com/2100-3513_22-6002747.html
Brian
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************
