软件厂商须承担更多安全责任 – 从丰田汽车召回事件说起
想必大家都关注到了这次获得媒体广泛关照的丰田汽车召回事件,Google上面搜索“丰田汽车召回”,刚刚的搜索结果数是8.8M+。虽然说 汽车家电等召回事件在中国国内,拜国内消费者“保护”所赐,不是很多,消费者大都哑巴吃黄连了。可是,这在西方发达国家是惯例 – 你生产的产品出了质量问题,召回-免费修补是天经地义的事情。
回过来在看看我们所处的IT和软件业呢?大家随便找到一份商业软件的license agreement等,逼着你签过字的那种,都明明白白写着 – 本软件“as-is”;不保证不出漏洞;出了漏洞不保证什么时候可以出补丁;出了补丁,不保证那个补丁管用;软件使用中出了事故,赔偿金额不会超过软件价格;….
在IT和软件作为新兴行业时,对这种高风险的新生事物特例一些保护是可以理解的。但是,当这个行业里占据了越来越多的500强、产生了越来越多的亿万富翁时,对此基本市场义务的反思就成为很容易理解的动向了。
SANS和Mitre Corp,这两个大名鼎鼎的组织联袂发起了这个很有思想性的项目。说其“很有思想性”,是因为我想这个问题也有不少时间了。为软件和安全厂商工作,这种感觉不会有,或不会很明显。但是作为内部IT运行人员就不一样了。你的病毒系统误杀了几千台电脑的软件,搞当了数百个服务器,我居然无法通过合同/许可条款获得正常的赔偿?很让人窝火。你的软件出了漏洞,厂商不但迟迟不响应补丁,还似乎成了用户的责任 – 当初签字画押时就说好的 as-is…
虽然说大浪淘沙,让客户不满意的厂商最终会被市场淘汰,但是,这个规则用到“安全”上时,就不是很灵,或太“慢”了。
SANS和Mitre Corp号召大家改一下合同的模板,把规矩重新定一定!
Alan Paller, director of research with the institute, said that nearly every attack is enabled by programming mistakes that provide a handhold for attackers.
“The only way programming errors can be eradicated is by making software development organisations legally liable for the errors”, he explained.
要求厂商具备严格的、高安全等级的、覆盖软件生命周期的开发流程,并承诺“及时”修复“缺陷”产品(要记着CAM项目中要对“及时”、“修复”、“缺陷”等搞一些指标metric。呵呵)。不知这算不算广义的供应链安全的范畴。的确,现在,招投标时要求投标方提供自身内部IT甚至供应商的信息网络安全/SDLC/BCP/等越来越多了。
在这种思潮下面,可能会对整个软件产业链带来不小的冲击。用户不再需要如此多的安全供应商,因为这种责任转移到了供应商身上 – 供应商需要自己更多地承担安全责任,或再次外包这种责任。在云计算、尤其是SaaS和PaaS两种模式下,这种现象也将非常突出。用户需要更多的安全评估、审计和验证,以确认和监控供应商的安全水平。
P.S. 下文是关于SANS和MITRE CORP的新闻:
Call for software vendors to take better care when developing software
23 February 2010
A consortium of more than 30 major customers of software vendors have called for more secure development of their applications, and for the developers to adhere to best practice at the earliest opportunity.
The group, which is being led by the SANS Institute and Mitre Corp., has released a draft proposed language set for company procurement contracts that allows firms to mandate best practice from their software suppliers.
According to the SANS Institute, the document will provide user companies with a list of specific terms and conditions that can be included in procurement contracts to ensure that vendors are adhering to a strict set of software development security standards.
Alan Paller, director of research with the institute, said that nearly every attack is enabled by programming mistakes that provide a handhold for attackers.
“The only way programming errors can be eradicated is by making software development organisations legally liable for the errors”, he explained.
The initiative has been met with general approval by the software industry, with application vulnerability specialist Fortify Software giving the thumbs up to the move by the consortium.
Richard Kirk, the firm’s European director, said that best practice in code development has been under active discussion by the software vendor community for some time.
“It’s good to hear that the SANS Institute has grasped the bull by the horns, and done something practical about the issue”, he said, adding that Fortify has observed a large number of successful hacker attacks are caused –in part – by software flaws.
This, he explained, is what gives hackers a small chink in a software application’s armour that they can then pry open.
According to Kirk, by encouraging companies to include suitable language in their procurement contracts, the consortium will hopefully drive the software development industry to adopt the best practices that a number of experts have been calling on for some time.
“Changes of this type aren’t going to happen overnight, as software vendors will have to engender new working practices in their code development operations”, he said.
“However, if their clients start mandating the use of best practices in their commercial agreements – through the use of the correct language in procurement contracts – then that is something we can wholly support”, he added.
该范本可以在此处下载,内容相当丰富:
http://www.cscic.state.ny.us/resources/documents/Draft-Application-Security-Procurement-Language-V-2.0-February-2010.pdf
开发了东西就要用。这不,纽约州的CSCIC就要用上了。人家是已开始就计划好了合作的。这个新生事物对于SDLC相关的服务和产品拉升作用还是很大的。
New York State holds software developers accountable
18 February 2010
The state of New York is proposing language for inclusion in procurement documents that it hopes will help to enforce secure application development practices among suppliers.
The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) introduced the Application Development Security Procurement Language this month. Heralded as a “living document” by its authors, it is designed to complement the CWE/SANS Top 25 project, which identifies and prioritizes the programming errors most likely to cause security problems for software customers.
The draft procurement language document is intended specifically for custom code development rather than commercial off-the-shelf products. “While these provisions have been drafted for use in a contract for application development, similar language can be incorporated into other procurement documents, including requests for proposals and statements of work,” the document said.
The document provides a template for custom software development contracts. It mandates background checks for software development personnel, adequate training for development teams, and the provision of a single senior information security specialist during the development process.
Vendors should provide written documentation showing proof of secure application development, and should conduct a peer review of all code before it is considered ready for testing, the template says. Written reports should be provided to the purchaser on any security issue identified during the application development lifecycle, and a plan should be established to transfer knowledge to the customer so that the application can be maintained in a production environment.
The template specifically singles out the 25 most dangerous programming errors as identified in the CWE/SANS project, mandating a threat assessment and analysis procedure that covers those flaws.
Other measures mandated by the contract template include identifying the tools used in the development process, along with a set of written secure coding guidelines, documentation of a source code control system, and disclosing all third-party software used in the application.
Not everyone was happy with the idea of tying the procurement language to a broad category of software bugs, however. “I think the idea of linking procurement language to a list of specific bugs as being touted by SANS is counterproductive and silly,” argued Gary McGraw, CEO of application security company Cigital. “Based on my experience as an expert in litigation, my prediction is that there will be zero lawsuits based on this notion and that this list will do nothing to provide safe harbor in the case of insecure software.”