FW: How Can You Tell It Is Written Securely?

[marcinw86 at gmail.com (Marcin Wielgoszewski)]

Steven,

There are more than several managers of application security programs
for F-100 companies that have written security requirements into their
SLA's with outsourced development firms.  One example uses application
penetration testing and vulnerability assessment findings to enforce
SLA requirements.  Some companies employ an entire team of people to
perform both whitebox and blackbox testing in addition to
external/3rd-party assessments.

And as you later state, security requirements should be written into
the functional requirements, and not handed off in its own category or
as some appendix document.

-Marcin
tssci-security.com

On Mon, Dec 1, 2008 at 9:59 AM, Herman Stevens
<herman.stevens at astyran.be> wrote:
> I tend to disagree with your statement that security requirements should be part of contractual agreements or added 
> to a purchase order. In the Real World (? ?) this does not work. Once signed, contracts are never looked at again, 
> unless the shit hits the fan and someone must be blamed for something that went wrong. Development teams (which is a 
> lot broader than the term developers) _never_ read contracts or look at purchase orders.