I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle.
What about the ‘procure’ part?
Here, organizations should make sure that their contract language when procuring (or outsourcing) software externally also includes similar requirements of proof of testing in their software development lifecycle.
OWASP has a project that provides sample contract language here and using OWASP as a foundation, SANs provides guidance here
If you haven’t modified your procurement and outsourcing contracting process to include security-related requirements like these, make this a priority in 2010. Use these sample contracts as starting points and make sure to have a qualified attorney help with the final contract negotiation language.
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
How to Live Without Mobile Device Management
This webinar addresses the growing trend of users refusing to have enterprise management of their mobile devices due to privacy concerns....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.