Introduction What's my experience? Why am I talking to you?

Slides:



Advertisements
Similar presentations
Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.
Advertisements

Course: e-Governance Project Lifecycle Day 1
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SL21 Information Security Board Mission, Goals and Guiding Principles.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.
© Prentice Hall CHAPTER 10 Alternative Approach: Purchasing Systems.
High Tech Executive Discussion New Industry Solutions to Shape Your Future Rosh Dawes, Equinix Joseph Ahn: Principal Consultant, Samsung SDS Jaechul Lee:
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Management Information Systems, 4 th Edition 1 Chapter 16 Alternative Avenues for Systems Acquisitions.
Software Security and Procurement John Ritchie, DAS Enterprise Security Office.
Treasury Systems Custom Developed/ Bespoke Application Software Versus Commercially available Off The Shelf (COTS) Software A. Hashim Treasury Systems.
SDLC Phase 2: Selection Dania Bilal IS 582 Spring 2009.
IT Service Delivery And Support Week Five IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
Introduction to Software Quality Assurance (SQA)
Information Systems Security Computer System Life Cycle Security.
Business Justification California Department of Social Services
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
Category #2 Bundling and Unbundling Workgroup September 24, 2007.
1 This Presentation is printed on recycled materials.
Project Management Methodology Development Stage.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Maximizing the Value of Investments in Tax Administration Terry Lutes Principal, M Group.
Chapter 11: Alternative Approach - Purchasing Systems.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
SWE 513: Software Engineering
Chapter 8 Auditing in an E-commerce Environment
Santa Clara, CA (408)
Non Functional Testing. Contents Introduction – Security Testing Why Security Test ? Security Testing Basic Concepts Security requirements - Top 5 Non-Functional.
Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.
QAD in the Consumer Products and Food & Beverage Industries Today Stephen Dombroski Senior Manager, Consumer Verticals, QAD.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2.1.
JOHN M. HUFF NAIC PRESIDENT DIRECTOR, MISSOURI DEPARTMENT OF INSURANCE JUNE 16, 2016 NAIC CYBERSECURITY INITIATIVES.
Advanced Software Engineering Dr. Cheng
Systems Analysis and Design in a Changing World, Fifth Edition
Performing Risk Analysis and Testing: Outsource or In-house
Configuration Management
Vendor Landscape Plus: IP Telephony Vendors
Vendor Statements of Work: Your Role as an IT Professional
All IT Staff Meeting September 18, 2013
Auditing Cloud Services
Operational Feasibility
Maintaining software solutions
Enterprise Content Management Owners Representative Contract Approval
Information Security Board
2 Selecting a Healthcare Information System.
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Business Transformation
Customer Contract Management Scenario Overview
Software Quality Engineering
Software Assurance Maturity Model
RECORDS AND INFORMATION
GlobAL Public Procurement Conference September 2018
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
11/28/2018 5:35 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
IS3440 Linux Security Unit 8 Software Management
Introduction What's my experience? Why am I talking to you?
05 | Making the Cloud Transition
Introduction To software engineering
Customer Contract Management Scenario Overview
MANAGING THE DEVELOPMENT AND PURCHASE OF INFORMATION SYSTEMS
Vendor Management The Risks to Your Business
Overview of The Bidder Response Form and Changes to the IT RFP Template March 8, 2019.
Radiopharmaceutical Production
Presentation transcript:

Software Security and Procurement John Ritchie, DAS Enterprise Security Office

Introduction What's my experience? Why am I talking to you? Not a procurement specialist Information security, software, vendors, procurement projects Why am I talking to you? Describe procurement role in software security

Agenda Problem statement Procurement tools for security Insecure applications Procurement lever Procurement tools for security RFP, contract Procurement scenarios Considerations for different procurement types

What's the problem? Sea-change in “hacking” Plus Equals... Past: hobby hackers Present: Internet crime wave Future: cyber warfare Plus poor programming practices insecure, buggy applications Equals...

What's the solution? No one solution, but... Software vendor culture change Better education Better development practices Shift from “release it now, fix it later” mentality

How can we help? Leverage market forces Customer expectations We don't accept defective cars, why should we accept defective software? Vendor competition Exercise clout Incorporate software security requirements into procurement process

What do you mean by “requirements?” Secure development practices Personnel Background checks Training Development processes Secure coding Configuration management Testing Source code Vulnerability testing Maintenance Notification of updates Patch testing Tracking security issues

Procurement tools for better security RFP process Contract security language

Tools: RFP process Security requirements definition Compare responses Security features: be explicit Vendor security practices Software development Software maintenance Security responsiveness Which ones are mandatory and which ones are desirable? Compare responses

Vendor Security Practices Software development Is security integrated into the SDLC? What training do developers get? Software maintenance Why and when are patches released? How are customers notified? Security responsiveness Proactive or reactive? What mechanisms for bug reporting and response?

Tools: Contract Language Incorporates software security requirements into legal agreement Growing movement Requires clout Reinforced by regulations Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)

Sample Language: New York State Sample application security procurement language http://www.sans.org/appseccontract/ Covers all areas of software security responsibility Meeting resistance from software industry

Procurement Security Considerations Differ based on type of procurement Software purchase Commercial Off-The-Shelf (COTS) Custom development Outsourcing of services Not just software Software as a service e.g. TurboTax Online Disclaimer: these lists are not exhaustive!

COTS Software Clout is key Big markets: U.S. Government? Security requirements definition in RFP is important Possible product differentiator Contract security language Growing role Major vendors starting to “see the light”

Custom Software Software security and vendor requirements need to be specific and detailed Education may be necessary Possible vendor differentiator Ongoing patching and support is important

Outsourcing Services and hosting as well as software Define security goals and policies Ensure outsourcing maintains the same level of compliance Beware of sub-outsourcing

Software as a service Who controls the data? Is security adequate for all types of data? Map to data classification Ensure service maintains compliance with policies and security goals Don't forget e-Discovery

Challenges Procurement complexity Lack of expertise Vendor resistance Software cost

Summary Trend pushing security responsibility toward software vendors We will see more of: Detailed security practices specified in RFPs Security practices agreement in contracts

Further Reading NY sample procurement contract language http://www.sans.org/appseccontract/ OWASP Secure Software Contract Annex https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements http://www.bits.org/downloads/Publications Page/bitssummittoolkit.pdf This presentation is available under “Presentations” on the ESO website: http://www.oregon.gov/DAS/EISPD/ESO/Pub.shtml

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.