Hi Gary,

You may wish to consider the OWASP Legal Project at
https://www.owasp.org/index.php/Category:OWASP_Legal_Project which is
a positive, free, and open resource to assist in building legal
contractal agreements around software security with your vendors.

The state of NY procurement and others have been using this material
as a basis for vendor contract language for years.

Regards,
Jim Manico

On Apr 12, 2011, at 10:18 PM, Gary McGraw <g...@cigital.com> wrote:

> hi sc-l,
>
> During RSA this year Jim Routh (JPMC), Doug Cavit (Microsoft) and I ended up 
> having a productive "hall meeting" about vendor control, the Microsoft SDL, 
> the BSIMM, and software security.  Jim is in search of a way to place some 
> kind of security control over his software vendors (they are ramping up their 
> software security initiative at JPMC this year but also use plenty of COTS 
> and third-party software).  The issue is how to get to an SDL-level 
> discussion with vendors instead of languishing in the "OWASP-top-ten for one 
> particular app" space.
>
> Here is an article about Vendor Control and the BSIMM that introduces a very 
> simple attestation-based scheme Sammy and I have developed called vBSIMM.  
> Jim has been in the loop throughout ideation and writing and endorses the 
> approach:
> http://www.informit.com/articles/article.aspx?p=1703668
>
> Two things to note: 1) the vBSIMM bar is very low, but the working theory is 
> that three sets of vendors will emerge once we try this out: some vendors 
> (including those who participate in the BSIMM Community) will be well past 
> these simple activities, some will be mealy-mouthed about exactly what they 
> are doing, and some will be clueless.  We believe that the vBSIMM will be 
> able to distinguish between those three sets rather easily. 2) beginning with 
> the vBSIMM may encourage smaller vendors to develop more mature software 
> security initiatives.
>
> The notion of self-scoring and attestation works for very easy activities 
> such as those included in the vBSIMM.  A complete BSIMM score makes much 
> better sense for vendors who are well ahead of the curve (e.g., BSIMM 
> participants).
>
> Don't forget to compare this in your mind to the alternative which seems to 
> be looking for certain bugs in a particular app, one app at a time.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to