> If it isn't in the RFP then it's not a requirement, regardless of what the
customer implicitly expected.
DHS has a draft guide to raise the awareness of those in the acquisition
process about the need for software security and how to include the RFP
language.
https://buildsecurityin.us-cert.go
IMO (IANAL) this is a position that is increasingly untenable as we move
forward, especially in the consumer markets. As a customer I do, in
fact, expect software to operate "correctly" (per features and functions
promised / contracted) but also "securely" in that is doesn't contain
bugs or insecu