Re: [SC-L] Information Protection Policies
There is a text box in "Software Security" about this with some language I copied (with permission) from jack danahy of ounce labs. www.swsec.com gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: Kenneth Van Wyk [mailto:[EMAIL PROTECTED] Sent: Tue Mar 13 12:23:16 2007 To: Secure Coding Subject: Re: [SC-L] Information Protection Policies On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote: > Ken, in terms of a previous response to your posting in terms of > getting customers to ask for secure coding practices from vendors, > wouldn't it start with figuring out how they could simply cut-and- > paste InfoSec policies into their own? Using someone's "boilerplate" policies as a starting point is great, as long as they go beyond just infosec policies and include examples/ guidelines for writing contracts for outsourcing software development and acquisition. Steve Christey pointed to OWASP's example at http://www.owasp.org/ index.php/OWASP_Secure_Software_Contract_Annex. While I haven't (yet) looked at this AND while I'm certainly no authority on contract writing, I'd bet that this OWASP example will at least provide some pretty good food for thought for anyone who is contracting software development. I firmly believe that we as consumers and as a whole, are not doing an adequate job at demanding more in the way of software security from the software we purchase and outsource. IMHO, that shouldn't be horribly difficult to change in the short- to medium-term. Better contracts and contractor oversight (e.g., independent architectural risk analysis, static code analysis, and rigorous security testing) should go a long way. I know I'm over-simplifying things here, but still... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Information Protection Policies
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote: Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and- paste InfoSec policies into their own? Using someone's "boilerplate" policies as a starting point is great, as long as they go beyond just infosec policies and include examples/ guidelines for writing contracts for outsourcing software development and acquisition. Steve Christey pointed to OWASP's example at http://www.owasp.org/ index.php/OWASP_Secure_Software_Contract_Annex. While I haven't (yet) looked at this AND while I'm certainly no authority on contract writing, I'd bet that this OWASP example will at least provide some pretty good food for thought for anyone who is contracting software development. I firmly believe that we as consumers and as a whole, are not doing an adequate job at demanding more in the way of software security from the software we purchase and outsource. IMHO, that shouldn't be horribly difficult to change in the short- to medium-term. Better contracts and contractor oversight (e.g., independent architectural risk analysis, static code analysis, and rigorous security testing) should go a long way. I know I'm over-simplifying things here, but still... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Information Protection Policies
On a slightly tangential note, and apologies if this was mentioned on this list previously, OWASP has some guidelines on how consumers can write up contracts with their vendors related to secure software: http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Information Protection Policies
Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and-paste InfoSec policies into their own? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of McGovern, James F (HTSC, IT) Sent: Thursday, March 08, 2007 11:17 AM To: SC-L@securecoding.org Subject: [SC-L] Information Protection Policies Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure coding practices. I am curious to learn of those who have also been successful in getting these same Fortune enterprises to incorporate the notion of secure coding practices into an information protection policy and whether there are any publicly available examples. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Information Protection Policies
Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure coding practices. I am curious to learn of those who have also been successful in getting these same Fortune enterprises to incorporate the notion of secure coding practices into an information protection policy and whether there are any publicly available examples. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___