Secure Coding mailing list archives
Re: Government Computer News (GCN) -- Contract addendum could enforce software security
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Wed, 08 Sep 2004 14:29:01 +0100
If government is unwilling or unable to put decent laws or regulations in place, then contracting is the way to get the rights and responsibilities assigned sanely. I think Ounce is on the exact right track here. If you're interested in software contracting and security, you might like an article I wrote at OWASP -- http://www.owasp.org/columns/jwilliams/jwilliams4.html. At the very end is a link to the GE Code Integrity Warranty which is a good example. Well, a good example of one end of the spectrum anyway. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 07, 2004 4:07 PM Subject: [SC-L] Government Computer News (GCN) -- Contract addendum could enforce software security
Another FYI today... I saw an interesting article in GCN (via a link from LinuxSecurity.com) regarding an announcement from the folks at Ounce Labs. The article (which is at
http://www.gcn.com/23_26/product-briefs/27167-1.html
for those interested) states, "Ounce Labs has published sample contract language for software development that sets specific security standards
and
requires a security audit of the source code. The language frees the buyer from having to pay for software that does not meet the standards." Anyone here familiar with any organizations that have adopted Ounce Labs' contract verbiage -- or something conceptually similar to it? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Government Computer News (GCN) -- Contract addendum could enforce software security Kenneth R. van Wyk (Sep 07)
- Re: Government Computer News (GCN) -- Contract addendum could enforce software security Jeff Williams (Sep 08)