Re: Application Insecurity --- Who is at Fault?

["Jeff Williams" <jeff.williams () aspectsecurity com>]

I would think this might work, but I - if I ran a software development
company - would be very scared about signing that contract... Even if
I did everything right, who's to say I might not get blamed? Anyway,
insurance would end up being the solution.


What you *should* be scared of is a contract that's silent about security. 
Courts will have to interpret (make stuff up) to figure out what the two 
parties intended.  I strongly suspect courts will read in terms like "the 
software shall not have obvious security holes".  They will probably rely on 
documents like the OWASP Top Ten to establish a baseline for trade practice.


Contracts protect both sides.  Have the discussion.  Check out the OWASP 
Software Security Contract Annex for a 
template.(http://www.owasp.org/documentation/legal.html).


--Jeff




----- Original Message -----
From: "Michael Silk" <[EMAIL PROTECTED]>
To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, April 06, 2005 9:40 AM
Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?

> Quoting from the article:
> ''You can't really blame the developers,''
>
> I couldn't disagree more with that ...
>
> It's completely the developers fault (and managers). 'Security' isn't
> something that should be thought of as an 'extra' or an 'added bonus'
> in an application. Typically it's just about programming _correctly_!
>
> The article says it's a 'communal' problem (i.e: consumers should
> _ask_ for secure software!). This isn't exactly true, and not really
> fair. Insecure software or secure software can exist without
> consumers. They don't matter. It's all about the programmers. The
> problem is they are allowed to get away with their crappy programming
> habits - and that is the fault of management, not consumers, for
> allowing 'security' to be thought of as something seperate from
> 'programming'.
>
> Consumers can't be punished and blamed, they are just trying to get
> something done - word processing, emailing, whatever. They don't need
> to - nor should. really. - care about lower-level security in the
> applications they buy. The programmers should just get it right, and
> managers need to get a clue about what is acceptable 'programming' and
> what isn't.
>
> Just my opinion, anyway.
>
> -- Michael
>
>
> On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:
> > Greetings++,
> >
> > Another interesting article this morning, this time from 
> > eSecurityPlanet.
> > (Full disclosure: I'm one of their columnists.)  The article, by 
> > Melissa

> > Bleasdale and available at
> > http://www.esecurityplanet.com/trends/article.php/3495431, is on the
> > general
> > state of application security in today's market.  Not a whole lot of 
> > new
> > material there for SC-L readers, but it's still nice to see the 
> > software

> > security message getting out to more and more people.
> >
> > Cheers,
> >
> > Ken van Wyk
> > --
> > KRvW Associates, LLC
> > http://www.KRvW.com