Enumerating all of the potential weaknesses in software as a requirement to be put into a contract is somewhat problematic on several levels. I guess you can take something like CWE as a starting point and filter down the headers to thinks that only apply to your particular implementation. A better approach would be to filter providers based on security before you even get to the contract stage. For example, ask if they would be willing to procure a copy of a static analysis tool from a vendor such as Ounce Labs, Coverity, etc and then check on the backside to see how many seats they have purchased (e.g. reference check). You can also use as a "proxy" the level of participation by inquiring how deeply and frequently do they participate in local user groups such as OWASP. If they have folks that speak at OWASP events, then they are probably much more security conscious than those who don't. If they don't speak but do attend, that is also better than simply getting the person on the asian vendors side simply telling you whatever is required to close the deal.
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Manico Sent: Thursday, November 27, 2008 4:38 PM To: Mark Rockman Cc: Secure Mailing List Subject: Re: [SC-L] How Can You Tell It Is Written Securely? > OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? This most important thing you can do is provide very specific security requirements as part of your vendor contract BEFORE you hire a vendor - and the process of building these security requirements might call for bringing in a security consultant if you do not have the expertise in-shop. Requirements that allow a vendor to actually provide security are line items like (assuming its a web app): "Provide input validation for every piece of user data. Do so by mapping every unique piece of user data to a regular expression that is placed inside a configuration file." "Provide CSRF protection by creating and enforcing a form nonce for every user session" After you build this list for your company, it should provide you with a core list of security requirements that you can add to any PO. - Jim MARK ROCKMAN MDRSESCO LLC ________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security(tm) Securing your applications at the source http://www.aspectsecurity.com ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
