Comments on: 软件厂商须承担更多安全责任 – 从丰田汽车召回事件说起

By: 初探ICT供应链完整性(节选) : 弯曲评论

初探ICT供应链完整性(节选) : 弯曲评论 — Tue, 15 Jun 2010 14:02:41 +0000

[...] 【注】本文节选自为即将发布的绿盟技术内刊，我被邀写一写新的动向，于是捉刀砍向最近关注的ICT供应链完整性，或大家更喜欢“安全”。这个话题在这篇初次提到，又在这篇再次涉及到，这次的内容稍微丰富了一些，希望能够给大家在工作研究之余，多一些参考。 [...]

By: Cloud & Telecom Security » 初探ICT供应链完整性(节选)

Cloud & Telecom Security » 初探ICT供应链完整性(节选) — Tue, 15 Jun 2010 01:44:07 +0000

By: Cloud & Telecom Security » RSA 2010 大会纪行

Cloud & Telecom Security » RSA 2010 大会纪行 — Tue, 09 Mar 2010 18:07:38 +0000

[...] Architect, Cloud, Security, Telecom Tags: 2010, 网络安全, RSA Related Posts2010/02/23 — 软件厂商须承担更多安全责任 – 从丰田汽车召回事件说起 (2)2010/02/08 — ENISA发布移动社会网络安全白皮书 (3)2010/02/03 — [...]

By: Richard

Richard — Tue, 23 Feb 2010 21:59:25 +0000

该范本可以在此处下载，内容相当丰富：

http://www.cscic.state.ny.us/resources/documents/Draft-Application-Security-Procurement-Language-V-2.0-February-2010.pdf

By: Richard

Richard — Tue, 23 Feb 2010 21:46:56 +0000

开发了东西就要用。这不，纽约州的CSCIC就要用上了。人家是已开始就计划好了合作的。这个新生事物对于SDLC相关的服务和产品拉升作用还是很大的。

New York State holds software developers accountable

18 February 2010
The state of New York is proposing language for inclusion in procurement documents that it hopes will help to enforce secure application development practices among suppliers.

The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) introduced the Application Development Security Procurement Language this month. Heralded as a “living document” by its authors, it is designed to complement the CWE/SANS Top 25 project, which identifies and prioritizes the programming errors most likely to cause security problems for software customers.

The draft procurement language document is intended specifically for custom code development rather than commercial off-the-shelf products. “While these provisions have been drafted for use in a contract for application development, similar language can be incorporated into other procurement documents, including requests for proposals and statements of work,” the document said.

The document provides a template for custom software development contracts. It mandates background checks for software development personnel, adequate training for development teams, and the provision of a single senior information security specialist during the development process.

Vendors should provide written documentation showing proof of secure application development, and should conduct a peer review of all code before it is considered ready for testing, the template says. Written reports should be provided to the purchaser on any security issue identified during the application development lifecycle, and a plan should be established to transfer knowledge to the customer so that the application can be maintained in a production environment.

The template specifically singles out the 25 most dangerous programming errors as identified in the CWE/SANS project, mandating a threat assessment and analysis procedure that covers those flaws.

Other measures mandated by the contract template include identifying the tools used in the development process, along with a set of written secure coding guidelines, documentation of a source code control system, and disclosing all third-party software used in the application.

Not everyone was happy with the idea of tying the procurement language to a broad category of software bugs, however. “I think the idea of linking procurement language to a list of specific bugs as being touted by SANS is counterproductive and silly,” argued Gary McGraw, CEO of application security company Cigital. “Based on my experience as an expert in litigation, my prediction is that there will be zero lawsuits based on this notion and that this list will do nothing to provide safe harbor in the case of insecure software.”