One of my favorite OWASP projects is the OWASP Legal Project. Jeff Williams, the project lead, described this project to me as "getting the lawyers to do our work for us." We are at a point now where the demand for security services is increasing. As many experts like Dan Geer point out, we will not be able to train new security people fast enough to deal with the demand. So, one way to mitigate this is to have security teams provide prescriptive guidance that other groups can execute. Of course when you delegate things like this, you would like to delegate to someone who can make things happen. Lawyers have their uses...in outsourced development, contract negotiation usually represents a point of maximum leverage for companies to get their requirements met. Lawyers usually lack the developer foo to know what should be specified in the contract. The OWASP legal project provides some excellent guidance for companies to do just that. With a minimum of awareness and technical support provided by development and security groups, lawyers are empowered to write much more effective contracts from a security standpoint. Or in other words do at least some of our job for us.
This contract Annex is intended to help software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed or delivered. The reason for this project is that most contracts are silent on these issues, and the parties frequently have dramatically different views on what has actually been agreed to. We believe that clearly articulating these terms is the best way to ensure that both parties can make informed decisions about how to proceed.
As John Pescatore, a research director with Gartner, put it:
"The security of commercial software will improve when the market demands better security. At a minimum, every software request for proposal should ask vendors to detail how they test their products for security vulnerabilities. This step will start convincing vendors of off-the-shelf software and outsourced developers that enterprises value security."
The contract project deals with: requirements and lifecycle, personnel, environments, testing and acceptance, assurance, reviews, and more. Tell your leadership and legal team about this today!
Comments