Supply Chain Resiliency Project Assistance

[mbrown at sans.org (Mason Brown)]

Thanks Dave.  Yeah, we have the OWASP and SANS stuff plus a bunch of other
from DHS and so on.  Mostly we're looking for things people have done that
actually worked.  IOW, examples of controls are even better than research
or whitepapers.  

This initiative is actually unrelated to the procurement language stuff
Jim and Will worked on.  Although I'm sure Jim will include that in his
summary.  This is an Financial Services ISAC (FS-ISAC) sponsored program.
It focuses on a lot more than the procurement or services angles -- this
working group is just one part of a broader effort on supply chain
resiliency.  They will be presenting the results to FS-ISAC in May, I
think.

Mase


Mason Brown, Director
SANS Institute (www.sans.org)
865-692-0978 (w)
 

Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in
Baltimore, MD http://www.sans.org/info/39248 

"SANS courses are hands-down the best security courses in the industry." -
Scott Hiltis, Bruce Power


-----Original Message-----
From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com] 
Sent: Monday, March 23, 2009 8:52 AM
To: Mason Brown; Secure Code Mailing List
Subject: RE: [SC-L] Supply Chain Resiliency Project Assistance

Mason,

I know you and Jim are already aware of the OWASP Legal Project, which has
the Secure Software Development contract annex:
http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was
developed by Jeff Williams.

For everyone else, this guideline has been available at OWASP for many
years and served as the basis for the SANS Application Security
Procurement Language effort detailed here:
http://www.sans.org/appseccontract/.

I'm assuming this supply chain resiliency effort is a continuation of the
Application Security Procurement Language effort by Jim Routh and Will
Pelgrin.

-Dave

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Mason Brown
Sent: Sunday, March 22, 2009 9:09 AM
To: 'Secure Code Mailing List'
Subject: [SC-L] Supply Chain Resiliency Project Assistance

 
Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a
project for the Financial Services ISAC.  There is a lot of knowledge on
this list and I was hoping you might be willing to offer your thoughts.
Below is the request from Jim.  If you have thoughts or data and could
share it, I'll be happy to collate and send back to the list or to anyone
that requests.  After he presents it to the FS-ISAC in May, the complete
information will be made public.

Important project if your organization uses contractors and outsourcers to
design, build or deploy important applications. Jim Routh, CISO at
Depository Trust and Clearing Corporation (and one of the top CISOs in
implementing application security), leads a broad industry team
identifying leading practices in improving supply chain resiliency --
specifically in the area of procurement for outsourcing software
development and services. They have asked for your help in finding sources
of information in the public domain and/or descriptions of a practice or
control that you have used that actually mitigates one or more risks. If
you have experience or knowledge of security controls and practices
specific to the outsourcing of application development through service
providers please send a note to Mason Brown at mbrown at sans.org.
This can include things like sample contract language or URLs
information/resources you have seen or used. We will provide a summary of
the information to anyone who contributes or expresses and interest in
seeing the results.


***************************
Action Required: 

Give some thought to helpful information on security controls and
practices specific to the outsourcing of application development work
through service providers that will help improve the resiliency of the
supply chain that may be in two categories: 

1. Source information in the public domain with reference information on
where to find it (eg: url) 2. Description of a practice/control along with
a summary of the risks mitigated

We are striving to create a summary of practices/controls for
consideration for those organizations interested in significantly
increasing their supply chain resiliency and mitigate the risk of sabotage
of supply chain sources. This information along with the survey results
will provide the information security professional with a source of
information enabling him/her to determine the appropriate
practices/controls for his/her organization. 



Mason Brown, Director
SANS Institute (www.sans.org)
865-692-0978 (w)
 

Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in
Baltimore, MD http://www.sans.org/info/39248 

"SANS courses are hands-down the best security courses in the industry."
-
Scott Hiltis, Bruce Power

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org List information,
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________