Secure Coding mailing list archives
RE: Comparing Scanning Tools
From: mgmlist at arpawocky.net (Michael Mucha)
Date: Mon, 12 Jun 2006 17:48:37 -0700
I've been pushing contractual requirements for ISVs at work (academic medical center with a $1B+ revenue hospital), particularly in the lengthy negotiations last winter with our new clinical information system vendor (the software license alone will cost us about $100M). In a nutshell: - <me> "What secure coding practices do you use in your development process, e.g. source control, code reviews, use of static analysis tools, preferred libraries, training, a/v scanning on the gold master, etc?" - <vendor> "huh?" - After about 5 hours of this spread over 3 negotiating sessions, as part of months of overall negotiations, I eventually had to give up on the issue because the $100M train was leaving the barn with or without my requirements, and the vendor wasn't willing to concede more than "our software is compatible with your Symantec A/V". The good news is that coworkers now regularly come to me during vendor selection to ask about security requirements for contract negotiations, and we've succeeded in getting security provisions added to more recent contracts, but they haven't been in the code assurance area ( e.g. "vendor agrees to add AD auth support" and "vendor agrees their software meets HIPAA regulations regarding electronic signatures" ). Next time I'll start beating the drum earlier with my coworkers so that the issue can be placed at a higher priority, with more people pushing on the vendor. Things creep forward... I see from the previously-posted http://news.com.com/2100-1002_3-5220488.html that Ounce Labs is trying to push it along: "announced on Tuesday that it had created a boilerplate contract addendum that holds software makers responsible for guaranteeing the security of their software." On Fri, Jun 09, 2006 at 02:32:16PM -0400, Jeremy Epstein wrote:
panel session where representatives from a couple of companies not in the software/technology business claimed that they're making contractual requirements in this area (i.e., that vendors are required to assert as part of the contract what measures they use to assure their code). So I guess there's proof by construction that companies other than Microsoft & Oracle care.
Current thread:
- Comparing Scanning Tools, (continued)
- Comparing Scanning Tools Gary McGraw (Jun 08)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 08)
- Comparing Scanning Tools Gunnar Peterson (Jun 08)
- Re: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Gunnar Peterson (Jun 09)
- RE: Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 09)
- RE: Comparing Scanning Tools Dave Wichers (Jun 09)
- RE: Comparing Scanning Tools Jeremy Epstein (Jun 09)
- RE: Comparing Scanning Tools ljknews (Jun 09)
- RE: Comparing Scanning Tools Michael Mucha (Jun 12)
- RE: Comparing Scanning Tools John Steven (Jun 14)