RSS Alerts

Share

More services

Related Links

Related Stories

  • Security groups outline top 25 programming errors for 2010
    The SANS Institute and Mitre have come together to update their annual list of top 25 software programming security bugs. SQL injection is the number one danger to software customers, according to the organizations.
  • Call for software vendors to take better care when developing software
    A consortium of more than 30 major customers of software vendors have called for more secure development of their applications, and for the developers to adhere to best practice at the earliest opportunity.
  • Making sense of the cyber war threat
    Heavy lobbying, lurid language and poor analysis are inhibiting government planning for cyber protection, says a new report on Systemic Cyber Security published by the Organization for Economic Cooperation and Development (OECD).
  • Making sense of the threat of cyber war
    Heavy lobbying, lurid language and poor analysis are inhibiting government planning for cyber protection, says a new report on Systemic Cyber Security published by the Organisation for Economic Cooperation and Development (OECD).
  • A Clear Future for a Cloudy Concept
    Cloud computing – it’s an industry buzz word that is all the rage. The concept is hardly new, and many companies and organizations embraced cloud computing services long ago. However, as budgets remain strained, the push toward more economical cloud services remains ever-present. Stephen Pritchard asks the questions every enterprise needs to know about security when transitioning to the cloud

Top 5 Stories

News

New York State holds software developers accountable

18 February 2010

The state of New York is proposing language for inclusion in procurement documents that it hopes will help to enforce secure application development practices among suppliers.

The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) introduced the Application Development Security Procurement Language this month. Heralded as a "living document" by its authors, it is designed to complement the CWE/SANS Top 25 project, which identifies and prioritizes the programming errors most likely to cause security problems for software customers.

The draft procurement language document is intended specifically for custom code development rather than commercial off-the-shelf products. "While these provisions have been drafted for use in a contract for application development, similar language can be incorporated into other procurement documents, including requests for proposals and statements of work," the document said.

The document provides a template for custom software development contracts. It mandates background checks for software development personnel, adequate training for development teams, and the provision of a single senior information security specialist during the development process.

Vendors should provide written documentation showing proof of secure application development, and should conduct a peer review of all code before it is considered ready for testing, the template says. Written reports should be provided to the purchaser on any security issue identified during the application development lifecycle, and a plan should be established to transfer knowledge to the customer so that the application can be maintained in a production environment.

The template specifically singles out the 25 most dangerous programming errors as identified in the CWE/SANS project, mandating a threat assessment and analysis procedure that covers those flaws.

Other measures mandated by the contract template include identifying the tools used in the development process, along with a set of written secure coding guidelines, documentation of a source code control system, and disclosing all third-party software used in the application.

Not everyone was happy with the idea of tying the procurement language to a broad category of software bugs, however. "I think the idea of linking procurement language to a list of specific bugs as being touted by SANS is counterproductive and silly," argued Gary McGraw, CEO of application security company Cigital. "Based on my experience as an expert in litigation, my prediction is that there will be zero lawsuits based on this notion and that this list will do nothing to provide safe harbor in the case of insecure software."

This article is featured in:
Application Security • Compliance and Policy  • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012