I've been pushing contractual requirements for ISVs at work (academic medical
center with a $1B+ revenue hospital), particularly in the lengthy negotiations
last winter with our new clinical information system vendor (the software
license alone will cost us about $100M).
In a nutshell:
- <me> "What secure coding practices do you use in your development process,
e.g. source control, code reviews, use of static analysis tools, preferred
libraries, training, a/v scanning on the gold master, etc?"
- <vendor> "huh?"
- After about 5 hours of this spread over 3 negotiating sessions, as part of
months of overall negotiations, I eventually had to give up on the issue
because the $100M train was leaving the barn with or without my requirements,
and the vendor wasn't willing to concede more than "our software is compatible
with your Symantec A/V".
The good news is that coworkers now regularly come to me during vendor
selection to ask about security requirements for contract negotiations, and
we've succeeded in getting security provisions added to more recent contracts,
but they haven't been in the code assurance area ( e.g. "vendor agrees to add
AD auth support" and "vendor agrees their software meets HIPAA regulations
regarding electronic signatures" ). Next time I'll start beating the drum
earlier with my coworkers so that the issue can be placed at a higher priority,
with more people pushing on the vendor. Things creep forward...
I see from the previously-posted http://news.com.com/2100-1002_3-5220488.html
that Ounce Labs is trying to push it along:
"announced on Tuesday that it had created a boilerplate contract addendum that
holds software makers responsible for guaranteeing the security of their
software."
On Fri, Jun 09, 2006 at 02:32:16PM -0400, Jeremy Epstein wrote:
> panel session where representatives from a couple of companies not in the
> software/technology business claimed that they're making contractual
> requirements in this area (i.e., that vendors are required to assert as part
> of the contract what measures they use to assure their code). So I guess
> there's proof by construction that companies other than Microsoft & Oracle
> care.
>
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
