Re: [SC-L] Supply Chain Resiliency Project Assistance

[Wisseman, Stan [USA]]

 
Hi Mason,

The DHS Software Assurance Initiative has an Acquisition Working Group:
https://buildsecurityin.us-cert.gov/swa/acqwg.html

The efforts of the WG just got released on the NDU Press site:
http://www.ndu.edu/inss/press/books/irmc.pdf

The body of the document provides guidance on how to enhance the
acquisition lifecycle with SwA considerations. The Appendices have
suggested contract language and due diligence questions.

Links to most of the references in the document are available on the
resources section of the WG site, including Word versions of the
questionnaires and a tutorial based on the document:

https://buildsecurityin.us-cert.gov/swa/acqart.html

Stan



On 3/22/09 9:08 AM, "Mason Brown"  wrote:


Jim Routh, CISO at Depository Trust and Clearing Corporation is leading
a project for the Financial Services ISAC.  There is a lot of knowledge
on this list and I was hoping you might be willing to offer your
thoughts.
Below is the request from Jim.  If you have thoughts or data and could
share it, I'll be happy to collate and send back to the list or to
anyone that requests.  After he presents it to the FS-ISAC in May, the
complete information will be made public.

Important project if your organization uses contractors and outsourcers
to design, build or deploy important applications. Jim Routh, CISO at
Depository Trust and Clearing Corporation (and one of the top CISOs in
implementing application security), leads a broad industry team
identifying leading practices in improving supply chain resiliency --
specifically in the area of procurement for outsourcing software
development and services. They have asked for your help in finding
sources of information in the public domain and/or descriptions of a
practice or control that you have used that actually mitigates one or
more risks. If you have experience or knowledge of security controls and
practices specific to the outsourcing of application development through
service providers please send a note to Mason Brown at mbr...@sans.org.
This can include things like sample contract language or URLs
information/resources you have seen or used. We will provide a summary
of the information to anyone who contributes or expresses and interest
in seeing the results.


***
Action Required:

Give some thought to helpful information on security controls and
practices specific to the outsourcing of application development work
through service providers that will help improve the resiliency of the
supply chain that may be in two categories:

1. Source information in the public domain with reference information on
where to find it (eg: url) 2. Description of a practice/control along
with a summary of the risks mitigated

We are striving to create a summary of practices/controls for
consideration for those organizations interested in significantly
increasing their supply chain resiliency and mitigate the risk of
sabotage of supply chain sources. This information along with the survey
results will provide the information security professional with a source
of information enabling him/her to determine the appropriate
practices/controls for his/her organization.



Mason Brown, Director
SANS Institute (www.sans.org)
865-692-0978 (w)


Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in
Baltimore, MD http://www.sans.org/info/39248

"SANS courses are hands-down the best security courses in the industry."
- Scott Hiltis, Bruce Power

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Software security video podcast

[Wisseman, Stan [USA]]

> If it isn't in the RFP then it's not a requirement, regardless of what the
customer implicitly expected.

DHS has a draft guide to raise the awareness of those in the acquisition
process about the need for software security and how to include the RFP
language. 

https://buildsecurityin.us-cert.gov/daisy/bsi/resources/dhs/908.html 

The comment period is still open if you have suggestions on how to improve
the guide.

Stan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of John Mason Jr
Sent: Saturday, October 27, 2007 1:12 PM
To: Secure Coding
Subject: Re: [SC-L] Software security video podcast

J.M. Seitz wrote:
>> Software security can be tricky when it comes to requirements, mostly 
>> because customers and consumers don't explicitly demand
> security, rather they impicitly expect it.
> 
> Wait a second here, don't customers also implicitly expect that the 
> software is going to run? I mean I haven't seen a requirements 
> document _ever_ that has said "The software must start.". They just 
> implicitly expect that its going to do that.
> 
> Doesn't seem like a big surprise that most customers will _expect_ 
> that "Hey, I don't want this software pwnable after you're done with it."
> 
> Not sure where the trickiness you are referring to comes from?
> 
> JS
> 
> ps. Didn't AW publish your book(s)? :) I would be real surprised 
> [turning on Tom Ptaceks snarky bit] if there's any mention of them.


If it isn't in the RFP then it's not a requirement, regardless of what the
customer implicitly expected.

The customers don't see a value to the added cost(s) of a secure system,
unless they have a business requirement to adhere to such as PCI compliance,
or HIPAA.

If a requirement is important to the business it must be explicit, but this
means the folks writing the RFP must have the understanding to make sure it
is in the RFP, otherwise the you could end up with the better system (more
secure) not being selected because it costs more.

Now the company who bids the project in a more secure fashion will also get
a tangible benefit from code review and other processes that make for a
secure system, but they won't invest in this avenue until the RFP requires
it.


John

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___