Neil MacDonaldI’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle.
What about the ‘procure’ part?
Here, organizations should make sure that their contract language when procuring (or outsourcing) software externally also includes similar requirements of proof of testing in their software development lifecycle.
OWASP has a project that provides sample contract language here and using OWASP as a foundation, SANs provides guidance here
If you haven’t modified your procurement and outsourcing contracting process to include security-related requirements like these, make this a priority in 2010. Use these sample contracts as starting points and make sure to have a qualified attorney help with the final contract negotiation language.
Category: Application Security Information Security Tags: Application Security, Best Practices, Information Security, Security No-Brainer
6 responses so far ↓
1 Dan Cornell January 16, 2010 at 12:38 pm
For procurement purposes, you could also look to use the OWASP Application Security Verification Standard (ASVS):
http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
It lays out increasing degrees of verification that can be performed for web applications and provides what is intended to be a reasonably unambiguous description of the security controls in an application. For example, an Organization A could agree to have their applications successfully verified at level 2A by an independent 3rd party before Organization B would start using them. We’re talking to some firms right now about possibly using ASVS as a web application equivalent of a SAS 70.
I would avoid using the OWASP Top 10 _for procurement_ because it is an awareness document and not a standard. That being said – the OWASP Top 10 is great for promoting awareness.
–Dan
@danielcornell
2 Jim Manico January 17, 2010 at 9:19 pm
This is a very interesting and timely topic. Neil, I’d like to invite you to interview with the OWASP Podcast Series – please just email us at podcast@owasp.org if you are interested. It will help you get a little visibility for Gartner.
Keep up the great work!
Respectfully,
–
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
3 Matthew Moynahan January 18, 2010 at 9:46 am
Gartner has rightfully pointed out for some time that a holistic approach to implementing an enterprise application security strategy should include the assessment of third party (vendor or outsourced development) code and application of equally as rigorous security testing as you would do internally. I believe this most recent attack on Google by the Chinese suggest that this should be considered as equally high in importance as third party vulnerabilities will be an attack vector that is increasingly leveraged by hackers given the inconsistent and lengthy enterprise patch and upgrade cycles. The Google and Adobe hacks have shown that no enterprise – and no type of information – will be spared given the perceived and marketable value of the asset.
4 Neil MacDonald January 18, 2010 at 1:50 pm
Daniel – thanks for the link – much appreciated
Matthew – yes – third party apps are every bit as important as in-house developed apps. You could require these vendors to show proof of security testing as part of the contract language (as this post talks about) – or you could test it yourself. This is critical in the case of IE, Adobe, Symantec and other common desktop software (esp when users run as standard user). See this post:
http://blogs.gartner.com/neil_macdonald/2009/04/15/attackers-are-moving-up-the-stack-so-should-we/
5 uberVU - social comments January 25, 2010 at 8:50 am
Social comments and analytics for this post…
This post was mentioned on Twitter by DinisCruz: RT Neil McDonald, security analyst, at Gartner Group, on OWASP’s guidance on how to procure more secure code http://bit.ly/5LVHzI @owasp…
6 Why Don’t Mobile Application Stores Require Security Testing? February 3, 2010 at 8:58 am
[...] require developers to show proof of security testing before being allowed to post an application. We require this for procured enterprise software, why not for mobile software? Problem is, there aren’t any standards of proof for this and a [...]