Hi Mark,
What I have seen is that the organization develops security
standards/guidelines and secure coding guidelines tailored to the org.
If the org is big enough to have its own security team, then they do
it; if not, then they hire consultants to do it. It's not too
difficult to find out
Hello Jim,
I tend to disagree with your statement that security requirements should be
part of contractual agreements or added to a purchase order. In the Real World
(™ ☺) this does not work. Once signed, contracts are never looked at again,
unless the shit hits the fan and someone must be
Steven,
There are more than several managers of application security programs
for F-100 companies that have written security requirements into their
SLA's with outsourced development firms. One example uses application
penetration testing and vulnerability assessment findings to enforce
SLA
Hello Marcin,
I agree with your statement that many companies have some requirements in their
SLA's with outsourced development firms. However, if these are really F-100
businesses they usually have all non-core processes out-sourced (because a Big4
company told them that would reduce costs),
At 9:03 PM -0500 11/26/08, Mark Rockman wrote:
OK. So you decide to outsource your programming assignment to Asia and
demand that they deliver code that is so locked down that it cannot
misbehave. How can you tell that what they deliver is truly locked down?
Will you wait until it gets hacked?
Asking about security in terms of an RFP is a big joke and reminds me
of tactics I used in sixth grade when I used to figure out creative ways
of answering a question by turning the question into an answer. One has
to acknowledge that RFPs are not authoratative and are usually completed
by sales
I think adding clear security requirements at the contractual level is
*fundamental and necessary* when yes?
yesworking with vendors who are writing software for you.
Don't we talk about software security as being just another integrated
part of writing software, not as an external activity?
I'm
I am of the belief that the examples you provided are more requirements
for your own staff. For example, shouldn't your business analysts define
regular expressions and include them as functional requirements where
the firm simply calls them?
If you want regex's externalized into properties
Some other thoughts that I haven't heard others mention?
1. OK, if you find that they didn't meet all the security requirements,
will your business customers still want you to put it into production
anyway? If the answer is yes, do you still want them to support it? How
do we quantify who is
