James McGovern asks a legitimate question (side note - one of the reasons I enjoy James' blog so much is that he advocates from the side of the equation for the people who actually buy/use/implement all this stuff. There are lots of blogs from vendors and so on, but lots of things get dropped between "winning the war" (the next great technology the vendors have to offer) and "managing the peace" (people in the trenches of corporations trying to develop/integrate/secure this stuff while running a business). The back of this equation brings whole sets of new questions...back to James' question) about how should companies manage their relationship with vendors to get more secure code. His ask:
If I woke up one day, and found myself in control of this, here is what I would want:
Contracts should allow for the enterprise to test software in any way it chooses. A lot of software licenses currently may not allow that.
Right you see more sploits on Windows than SAP and Cisco, because fewer people have the latter set up and running on their home systems, so they have nothing to bang against.
Mandate third party testing and the ability to see the outcome of those tests. You may not get access to the whole report, but there should be enough there to make a genuine assessment of how the vendor thinks about security. Sophisticated enterprises even have lists of approved vendors that they will accept testing results from.
Bring on the crash test dummies.
Language about how the vendor will ensure no backdoors or other forms of malicious code are in the application. It is a good starting point, and makes sure that someone on their side is at least thinking about it. SLAs around response times for vulnerabilities.
I blogged before about one my favorite OWASP projects - the OWASP Legal Project, whose mantra is - Getting the Lawyers to do our work for us. Lawyers can't fix it by themselves, but if you are in a F500 company there are probably lots of lawyers sitting around, why not put 'em to work doing something useful like working on software security?
If you outsource development you know that one of the only times you have good leverage is during contract negotiations. The OWASP legal project contains standard contract langauge that your legal team can use to add the appropriae requirements into yor contract to ensure that you don't get security bug-ridden code back with no recourse. I am not a lawyer, but this project's work and software security standard contract language, worth sharing with your company's legal team.