Secure Coding mailing list archives
Supply Chain Resiliency Project Assistance
From: wisseman_stan at bah.com (Wisseman, Stan [USA])
Date: Sun, 22 Mar 2009 22:20:49 -0400
Hi Mason, The DHS Software Assurance Initiative has an Acquisition Working Group: https://buildsecurityin.us-cert.gov/swa/acqwg.html The efforts of the WG just got released on the NDU Press site: http://www.ndu.edu/inss/press/books/irmc.pdf The body of the document provides guidance on how to enhance the acquisition lifecycle with SwA considerations. The Appendices have suggested contract language and due diligence questions. Links to most of the references in the document are available on the resources section of the WG site, including Word versions of the questionnaires and a tutorial based on the document: https://buildsecurityin.us-cert.gov/swa/acqart.html Stan ------------------------------------ On 3/22/09 9:08 AM, "Mason Brown" <mbrown at sans.org> wrote: Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbrown at sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *************************** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 "SANS courses are hands-down the best security courses in the industry." - Scott Hiltis, Bruce Power _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- BSIMM: Confessions of a Software Security Alchemist (informIT), (continued)
- BSIMM: Confessions of a Software Security Alchemist (informIT) kowsik (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Goertzel, Karen [USA] (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- Message not available
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Pravir Chandra (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gunnar Peterson (Mar 20)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 22)
- Supply Chain Resiliency Project Assistance Gary McGraw (Mar 22)
- Supply Chain Resiliency Project Assistance Gadi Evron (Mar 22)
- Supply Chain Resiliency Project Assistance Wisseman, Stan [USA] (Mar 22)
- Supply Chain Resiliency Project Assistance Sammy Migues (Mar 22)
- Supply Chain Resiliency Project Assistance Dave Wichers (Mar 23)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 23)
- Supply Chain Resiliency Project Assistance Rohit Lists (Mar 23)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Florian Weimer (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 22)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 23)
- The Importance of Type Safety Brad Andrews (Mar 23)