Re: Government Computer News (GCN) -- Contract addendum could enforce software security

["Jeff Williams" <jeff.williams () aspectsecurity com>]

If government is unwilling or unable to put decent laws or regulations in
place, then contracting is the way to get the rights and responsibilities
assigned sanely.  I think Ounce is on the exact right track here.

If you're interested in software contracting and security, you might like an
article I wrote at OWASP -- 
http://www.owasp.org/columns/jwilliams/jwilliams4.html.  At the very end is
a link to the GE Code Integrity Warranty which is a good example.  Well, a
good example of one end of the spectrum anyway.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 07, 2004 4:07 PM
Subject: [SC-L] Government Computer News (GCN) -- Contract addendum could
enforce software security


> Another FYI today...  I saw an interesting article in GCN (via a link from
> LinuxSecurity.com) regarding an announcement from the folks at Ounce Labs.
> The article (which is at
http://www.gcn.com/23_26/product-briefs/27167-1.html
> for those interested) states, "Ounce Labs has published sample contract
> language for software development that sets specific security standards
and
> requires a security audit of the source code. The language frees the buyer
> from having to pay for software that does not meet the standards."
>
> Anyone here familiar with any organizations that have adopted Ounce Labs'
> contract verbiage -- or something conceptually similar to it?
>
> Cheers,
>
> Ken van Wyk
> -- 
> KRvW Associates, LLC
> http://www.KRvW.com