Secure Coding mailing list archives

RE: Comparing Scanning Tools

From: mgmlist at arpawocky.net (Michael Mucha)
Date: Mon, 12 Jun 2006 17:48:37 -0700


I've been pushing contractual requirements for ISVs at work (academic medical center with a $1B+ revenue hospital), 
particularly in the lengthy negotiations last winter with our new clinical information system vendor (the software 
license alone will cost us about $100M).  

In a nutshell:
- <me> "What secure coding practices do you use in your development process, e.g. source control, code reviews, use of 
static analysis tools, preferred libraries, training, a/v scanning on the gold master, etc?"
- <vendor> "huh?"
- After about 5 hours of this spread over 3 negotiating sessions, as part of months of overall negotiations, I 
eventually had to give up on the issue because the $100M train was leaving the barn with or without my requirements, 
and the vendor wasn't willing to concede more than "our software is compatible with your Symantec A/V". 
        
The good news is that coworkers now regularly come to me during vendor selection to ask about security requirements for 
contract negotiations, and we've succeeded in getting security provisions added to more recent contracts, but they 
haven't been in the code assurance area ( e.g. "vendor agrees to add AD auth support" and "vendor agrees their software 
meets HIPAA regulations regarding electronic signatures" ). Next time I'll start beating the drum earlier with my 
coworkers so that the issue can be placed at a higher priority, with more people pushing on the vendor. Things creep 
forward...

I see from the previously-posted http://news.com.com/2100-1002_3-5220488.html that Ounce Labs is trying to push it 
along:
"announced on Tuesday that it had created a boilerplate contract addendum that holds software makers responsible for 
guaranteeing the security of their software." 


On Fri, Jun 09, 2006 at 02:32:16PM -0400, Jeremy Epstein wrote:

panel session where representatives from a couple of companies not in the
software/technology business claimed that they're making contractual
requirements in this area (i.e., that vendors are required to assert as part
of the contract what measures they use to assure their code).  So I guess
there's proof by construction that companies other than Microsoft & Oracle
care.

Current thread:

Comparing Scanning Tools, (continued)
- Comparing Scanning Tools Gary McGraw (Jun 08)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 08)
  - Comparing Scanning Tools Gunnar Peterson (Jun 08)
- Re: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Brian Chess (Jun 08)
  - RE: Comparing Scanning Tools Gunnar Peterson (Jun 09)
- RE: Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 09)
  - RE: Comparing Scanning Tools Dave Wichers (Jun 09)
- RE: Comparing Scanning Tools Jeremy Epstein (Jun 09)
  - RE: Comparing Scanning Tools ljknews (Jun 09)
  - RE: Comparing Scanning Tools Michael Mucha (Jun 12)
- RE: Comparing Scanning Tools John Steven (Jun 14)