Re: [SC-L] Supply Chain Resiliency Project Assistance
Mason, I know you and Jim are already aware of the OWASP Legal Project, which has the Secure Software Development contract annex: http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was developed by Jeff Williams. For everyone else, this guideline has been available at OWASP for many years and served as the basis for the SANS Application Security Procurement Language effort detailed here: http://www.sans.org/appseccontract/. I'm assuming this supply chain resiliency effort is a continuation of the Application Security Procurement Language effort by Jim Routh and Will Pelgrin. -Dave -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Mason Brown Sent: Sunday, March 22, 2009 9:09 AM To: 'Secure Code Mailing List' Subject: [SC-L] Supply Chain Resiliency Project Assistance Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Supply Chain Resiliency Project Assistance
Thanks Dave. Yeah, we have the OWASP and SANS stuff plus a bunch of other from DHS and so on. Mostly we're looking for things people have done that actually worked. IOW, examples of controls are even better than research or whitepapers. This initiative is actually unrelated to the procurement language stuff Jim and Will worked on. Although I'm sure Jim will include that in his summary. This is an Financial Services ISAC (FS-ISAC) sponsored program. It focuses on a lot more than the procurement or services angles -- this working group is just one part of a broader effort on supply chain resiliency. They will be presenting the results to FS-ISAC in May, I think. Mase Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power -Original Message- From: Dave Wichers [mailto:dave.wich...@aspectsecurity.com] Sent: Monday, March 23, 2009 8:52 AM To: Mason Brown; Secure Code Mailing List Subject: RE: [SC-L] Supply Chain Resiliency Project Assistance Mason, I know you and Jim are already aware of the OWASP Legal Project, which has the Secure Software Development contract annex: http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was developed by Jeff Williams. For everyone else, this guideline has been available at OWASP for many years and served as the basis for the SANS Application Security Procurement Language effort detailed here: http://www.sans.org/appseccontract/. I'm assuming this supply chain resiliency effort is a continuation of the Application Security Procurement Language effort by Jim Routh and Will Pelgrin. -Dave -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Mason Brown Sent: Sunday, March 22, 2009 9:09 AM To: 'Secure Code Mailing List' Subject: [SC-L] Supply Chain Resiliency Project Assistance Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com
Re: [SC-L] Supply Chain Resiliency Project Assistance
Mase, I'm excited to see what FS-ISAC comes up with at the conference. In my experience, the OWASP Secure Contract Annex is a great resource. That said, sometimes people are looking for an interim quick and dirty way to evaluate vendors for security while they work on building application security into the contact language and throughout the procurement process. We're working with a few different companies on this problem right now. What I've seen work is to get the software vendor's lead lead developer/architect on the phone with an application security SME. You can gauge a lot through a simple conversation by asking a few pointed questions: * Describe your process for training developers on software security. Be specific about what guides/books/courses you use * What tools do you use to perform security runtime and static analysis testing? * How do you integrate security into the earlier phases of the SDLC - e.g. requirements, architecture and design? It might also be a good idea to ask a few more technical questions: * How do you protect against SQL injection? * How to you protect against parameter manipulation attacks? If every answer consists entirely of We use 128-bit encryption and We have a firewall (yes people really do say that) then you have a red flag. If you're evaluating a set of different vendors then you can assign scores to each answer and rank the summary of scores against oneanother. Of course this process is extremely subjective and has several obvious limitations as compared to more rigorous methods that require supporting documentation. That said, I believe it's a good idea to have an informal process in the interim rather than no way to evaluate security whatsoever. Cheers, Rohit On Mon, Mar 23, 2009 at 12:00 PM, Mason Brown mbr...@sans.org wrote: Thanks Dave. Yeah, we have the OWASP and SANS stuff plus a bunch of other from DHS and so on. Mostly we're looking for things people have done that actually worked. IOW, examples of controls are even better than research or whitepapers. This initiative is actually unrelated to the procurement language stuff Jim and Will worked on. Although I'm sure Jim will include that in his summary. This is an Financial Services ISAC (FS-ISAC) sponsored program. It focuses on a lot more than the procurement or services angles -- this working group is just one part of a broader effort on supply chain resiliency. They will be presenting the results to FS-ISAC in May, I think. Mase Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power -Original Message- From: Dave Wichers [mailto:dave.wich...@aspectsecurity.com] Sent: Monday, March 23, 2009 8:52 AM To: Mason Brown; Secure Code Mailing List Subject: RE: [SC-L] Supply Chain Resiliency Project Assistance Mason, I know you and Jim are already aware of the OWASP Legal Project, which has the Secure Software Development contract annex: http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was developed by Jeff Williams. For everyone else, this guideline has been available at OWASP for many years and served as the basis for the SANS Application Security Procurement Language effort detailed here: http://www.sans.org/appseccontract/. I'm assuming this supply chain resiliency effort is a continuation of the Application Security Procurement Language effort by Jim Routh and Will Pelgrin. -Dave -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Mason Brown Sent: Sunday, March 22, 2009 9:09 AM To: 'Secure Code Mailing List' Subject: [SC-L] Supply Chain Resiliency Project Assistance Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have
Re: [SC-L] Supply Chain Resiliency Project Assistance
hi sc-l, For what it's worth, I am involved in the project with jmr...as is Sammy Migues. jmr was our BSIMM participant from DTCC. Their software security initiative is most impressive. gem On 3/22/09 9:08 AM, Mason Brown mbr...@sans.org wrote: Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Supply Chain Resiliency Project Assistance
On Sun, 22 Mar 2009, Gary McGraw wrote: hi sc-l, For what it's worth, I am involved in the project with jmr...as is Sammy Migues. jmr was our BSIMM participant from DTCC. Their software security initiative is most impressive. I don't know much TOO much about supply chain issues, but I have to admit that the lecture i heard on the subject by Marcus Sachs was highly interesting and opened my eyes. Blessed initiative. Gadi. gem On 3/22/09 9:08 AM, Mason Brown mbr...@sans.org wrote: Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Supply Chain Resiliency Project Assistance
Hello everyone, To reinforce Mason's request, we're looking for any collection of controls (contractual, technical, people, process, etc.) that organizations should request, demand, cajole, enforce, etc. when out-sourcing software development to ensure the required software security in the resulting deliverable. For the purposes of this exercise, you can define controls and software security as broadly as you like and we'll sort it out later. Our next meeting with Jim is Tuesday afternoon and any pointers to public information, or copies of shareable non-public information, you can provide will be much appreciated. Thanks, --Sammy. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Mason Brown Sent: Sunday, March 22, 2009 9:09 AM To: 'Secure Code Mailing List' Subject: [SC-L] Supply Chain Resiliency Project Assistance Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___