I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle.
What about the ‘procure’ part?
Here, organizations should make sure that their contract language when procuring (or outsourcing) software externally also includes similar requirements of proof of testing in their software development lifecycle.
OWASP has a project that provides sample contract language here and using OWASP as a foundation, SANs provides guidance here
If you haven’t modified your procurement and outsourcing contracting process to include security-related requirements like these, make this a priority in 2010. Use these sample contracts as starting points and make sure to have a qualified attorney help with the final contract negotiation language.