Secure Coding mailing list archives
How Can You Tell It Is Written Securely?
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Sun, 30 Nov 2008 12:44:58 -0500
Enumerating all of the potential weaknesses in software as a requirement to be put into a contract is somewhat problematic on several levels. I guess you can take something like CWE as a starting point and filter down the headers to thinks that only apply to your particular implementation. A better approach would be to filter providers based on security before you even get to the contract stage. For example, ask if they would be willing to procure a copy of a static analysis tool from a vendor such as Ounce Labs, Coverity, etc and then check on the backside to see how many seats they have purchased (e.g. reference check). You can also use as a "proxy" the level of participation by inquiring how deeply and frequently do they participate in local user groups such as OWASP. If they have folks that speak at OWASP events, then they are probably much more security conscious than those who don't. If they don't speak but do attend, that is also better than simply getting the person on the asian vendors side simply telling you whatever is required to close the deal. ________________________________ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Jim Manico Sent: Thursday, November 27, 2008 4:38 PM To: Mark Rockman Cc: Secure Mailing List Subject: Re: [SC-L] How Can You Tell It Is Written Securely?
OK. So you decide to outsource your programming assignment to Asia
and demand that they deliver code that is so locked down that it cannot
misbehave. How can you tell that what they deliver is truly locked
down? Will you wait until it gets hacked? What simple yet thorough
inspection process is there that'll do the job? Doesn't exist, does it?
This most important thing you can do is provide very specific security
requirements as part of your vendor contract BEFORE you hire a vendor -
and the process of building these security requirements might call for
bringing in a security consultant if you do not have the expertise
in-shop.
Requirements that allow a vendor to actually provide security are line
items like (assuming its a web app):
"Provide input validation for every piece of user data. Do so by mapping
every unique piece of user data to a regular expression that is placed
inside a configuration file."
"Provide CSRF protection by creating and enforcing a form nonce for
every user session"
After you build this list for your company, it should provide you with a
core list of security requirements that you can add to any PO.
- Jim
MARK ROCKMAN
MDRSESCO LLC
________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at -
http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security
community.
_______________________________________________
--
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security(tm)
Securing your applications at the source
http://www.aspectsecurity.com
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure,
dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20081130/041be4b0/attachment.html
Current thread:
- How Can You Tell It Is Written Securely? Mark Rockman (Nov 26)
- How Can You Tell It Is Written Securely? ljknews (Nov 27)
- How Can You Tell It Is Written Securely? Stephen Craig Evans (Nov 27)
- How Can You Tell It Is Written Securely? Dana Epp (Nov 27)
- How Can You Tell It Is Written Securely? Jim Manico (Nov 27)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Andrew van der Stock (Dec 02)
- How Can You Tell It Is Written Securely? ljknews (Dec 02)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Stephen Craig Evans (Dec 01)
- <Possible follow-ups>
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Jim Manico (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)