Information Protection Policies

[ken at krvw.com (Kenneth Van Wyk)]

On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
> Ken, in terms of a previous response to your posting in terms of  
> getting customers to ask for secure coding practices from vendors,  
> wouldn't it start with figuring out how they could simply cut-and- 
> paste InfoSec policies into their own?

Using someone's "boilerplate" policies as a starting point is great,  
as long as they go beyond just infosec policies and include examples/ 
guidelines for writing contracts for outsourcing software development  
and acquisition.

Steve Christey pointed to OWASP's example at http://www.owasp.org/ 
index.php/OWASP_Secure_Software_Contract_Annex.  While I haven't  
(yet) looked at this AND while I'm certainly no authority on contract  
writing, I'd bet that this OWASP example will at least provide some  
pretty good food for thought for anyone who is contracting software  
development.

I firmly believe that we as consumers and as a whole, are not doing  
an adequate job at demanding more in the way of software security  
from the software we purchase and outsource.  IMHO, that shouldn't be  
horribly difficult to change in the short- to medium-term.  Better  
contracts and contractor oversight (e.g., independent architectural  
risk analysis, static code analysis, and rigorous security testing)  
should go a long way.  I know I'm over-simplifying things here, but  
still...

Cheers,

Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2454 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20070313/f6897a61/attachment-0001.bin