Download presentation
Presentation is loading. Please wait.
Published byBernice Ball Modified over 6 years ago
1
Software Security and Procurement John Ritchie, DAS Enterprise Security Office
2
Introduction What's my experience? Why am I talking to you?
Not a procurement specialist Information security, software, vendors, procurement projects Why am I talking to you? Describe procurement role in software security
3
Agenda Problem statement Procurement tools for security
Insecure applications Procurement lever Procurement tools for security RFP, contract Procurement scenarios Considerations for different procurement types
4
What's the problem? Sea-change in “hacking” Plus Equals...
Past: hobby hackers Present: Internet crime wave Future: cyber warfare Plus poor programming practices insecure, buggy applications Equals...
5
What's the solution? No one solution, but...
Software vendor culture change Better education Better development practices Shift from “release it now, fix it later” mentality
6
How can we help? Leverage market forces
Customer expectations We don't accept defective cars, why should we accept defective software? Vendor competition Exercise clout Incorporate software security requirements into procurement process
7
What do you mean by “requirements?”
Secure development practices Personnel Background checks Training Development processes Secure coding Configuration management Testing Source code Vulnerability testing Maintenance Notification of updates Patch testing Tracking security issues
8
Procurement tools for better security
RFP process Contract security language
9
Tools: RFP process Security requirements definition Compare responses
Security features: be explicit Vendor security practices Software development Software maintenance Security responsiveness Which ones are mandatory and which ones are desirable? Compare responses
10
Vendor Security Practices
Software development Is security integrated into the SDLC? What training do developers get? Software maintenance Why and when are patches released? How are customers notified? Security responsiveness Proactive or reactive? What mechanisms for bug reporting and response?
11
Tools: Contract Language
Incorporates software security requirements into legal agreement Growing movement Requires clout Reinforced by regulations Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)
12
Sample Language: New York State
Sample application security procurement language Covers all areas of software security responsibility Meeting resistance from software industry
13
Procurement Security Considerations
Differ based on type of procurement Software purchase Commercial Off-The-Shelf (COTS) Custom development Outsourcing of services Not just software Software as a service e.g. TurboTax Online Disclaimer: these lists are not exhaustive!
14
COTS Software Clout is key
Big markets: U.S. Government? Security requirements definition in RFP is important Possible product differentiator Contract security language Growing role Major vendors starting to “see the light”
15
Custom Software Software security and vendor requirements need to be specific and detailed Education may be necessary Possible vendor differentiator Ongoing patching and support is important
16
Outsourcing Services and hosting as well as software
Define security goals and policies Ensure outsourcing maintains the same level of compliance Beware of sub-outsourcing
17
Software as a service Who controls the data?
Is security adequate for all types of data? Map to data classification Ensure service maintains compliance with policies and security goals Don't forget e-Discovery
18
Challenges Procurement complexity Lack of expertise Vendor resistance
Software cost
19
Summary Trend pushing security responsibility toward software vendors
We will see more of: Detailed security practices specified in RFPs Security practices agreement in contracts
20
Further Reading NY sample procurement contract language
OWASP Secure Software Contract Annex BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements Page/bitssummittoolkit.pdf This presentation is available under “Presentations” on the ESO website:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.