Re: [SC-L] Information Protection Policies

2007-03-13 Thread Kenneth Van Wyk

On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
Ken, in terms of a previous response to your posting in terms of  
getting customers to ask for secure coding practices from vendors,  
wouldn't it start with figuring out how they could simply cut-and- 
paste InfoSec policies into their own?


Using someone's boilerplate policies as a starting point is great,  
as long as they go beyond just infosec policies and include examples/ 
guidelines for writing contracts for outsourcing software development  
and acquisition.


Steve Christey pointed to OWASP's example at http://www.owasp.org/ 
index.php/OWASP_Secure_Software_Contract_Annex.  While I haven't  
(yet) looked at this AND while I'm certainly no authority on contract  
writing, I'd bet that this OWASP example will at least provide some  
pretty good food for thought for anyone who is contracting software  
development.


I firmly believe that we as consumers and as a whole, are not doing  
an adequate job at demanding more in the way of software security  
from the software we purchase and outsource.  IMHO, that shouldn't be  
horribly difficult to change in the short- to medium-term.  Better  
contracts and contractor oversight (e.g., independent architectural  
risk analysis, static code analysis, and rigorous security testing)  
should go a long way.  I know I'm over-simplifying things here, but  
still...


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Information Protection Policies

2007-03-13 Thread Gary McGraw
There is a text box in Software Security about this with some language I 
copied (with permission) from jack danahy of ounce labs.  

www.swsec.com

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


 -Original Message-
From:   Kenneth Van Wyk [mailto:[EMAIL PROTECTED]
Sent:   Tue Mar 13 12:23:16 2007
To: Secure Coding
Subject:Re: [SC-L] Information Protection Policies

On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
 Ken, in terms of a previous response to your posting in terms of  
 getting customers to ask for secure coding practices from vendors,  
 wouldn't it start with figuring out how they could simply cut-and- 
 paste InfoSec policies into their own?

Using someone's boilerplate policies as a starting point is great,  
as long as they go beyond just infosec policies and include examples/ 
guidelines for writing contracts for outsourcing software development  
and acquisition.

Steve Christey pointed to OWASP's example at http://www.owasp.org/ 
index.php/OWASP_Secure_Software_Contract_Annex.  While I haven't  
(yet) looked at this AND while I'm certainly no authority on contract  
writing, I'd bet that this OWASP example will at least provide some  
pretty good food for thought for anyone who is contracting software  
development.

I firmly believe that we as consumers and as a whole, are not doing  
an adequate job at demanding more in the way of software security  
from the software we purchase and outsource.  IMHO, that shouldn't be  
horribly difficult to change in the short- to medium-term.  Better  
contracts and contractor oversight (e.g., independent architectural  
risk analysis, static code analysis, and rigorous security testing)  
should go a long way.  I know I'm over-simplifying things here, but  
still...

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com









This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Information Protection Policies

2007-03-10 Thread Steven M. Christey

On a slightly tangential note, and apologies if this was mentioned on this
list previously, OWASP has some guidelines on how consumers can write up
contracts with their vendors related to secure software:

http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Information Protection Policies

2007-03-09 Thread McGovern, James F (HTSC, IT)
Ken, in terms of a previous response to your posting in terms of getting 
customers to ask for secure coding practices from vendors, wouldn't it start 
with figuring out how they could simply cut-and-paste InfoSec policies into 
their own?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of McGovern, James F
(HTSC, IT)
Sent: Thursday, March 08, 2007 11:17 AM
To: SC-L@securecoding.org
Subject: [SC-L] Information Protection Policies


Hopefully lots of the consultants on this list have been wildly successful in 
getting Fortune enterprises to embrace secure coding practices. I am curious to 
learn of those who have also been successful in getting these same Fortune 
enterprises to incorporate the notion of secure coding practices into an 
information protection policy and whether there are any publicly available 
examples.


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___