Secure Coding mailing list archives
Information Protection Policies
From: ken at krvw.com (Kenneth Van Wyk)
Date: Tue, 13 Mar 2007 12:18:47 -0400
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and- paste InfoSec policies into their own?
Using someone's "boilerplate" policies as a starting point is great, as long as they go beyond just infosec policies and include examples/ guidelines for writing contracts for outsourcing software development and acquisition. Steve Christey pointed to OWASP's example at http://www.owasp.org/ index.php/OWASP_Secure_Software_Contract_Annex. While I haven't (yet) looked at this AND while I'm certainly no authority on contract writing, I'd bet that this OWASP example will at least provide some pretty good food for thought for anyone who is contracting software development. I firmly believe that we as consumers and as a whole, are not doing an adequate job at demanding more in the way of software security from the software we purchase and outsource. IMHO, that shouldn't be horribly difficult to change in the short- to medium-term. Better contracts and contractor oversight (e.g., independent architectural risk analysis, static code analysis, and rigorous security testing) should go a long way. I know I'm over-simplifying things here, but still... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2454 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20070313/f6897a61/attachment-0001.bin
Current thread:
- Information Protection Policies McGovern, James F (HTSC, IT) (Mar 08)
- Information Protection Policies McGovern, James F (HTSC, IT) (Mar 09)
- Information Protection Policies Steven M. Christey (Mar 10)
- Information Protection Policies Kenneth Van Wyk (Mar 13)
- <Possible follow-ups>
- Information Protection Policies Gary McGraw (Mar 13)
- Information Protection Policies McGovern, James F (HTSC, IT) (Mar 09)