Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security and Procurement John Ritchie, DAS Enterprise Security Office.

Published byPeregrine Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Security and Procurement John Ritchie, DAS Enterprise Security Office."— Presentation transcript:

1 Software Security and Procurement John Ritchie, DAS Enterprise Security Office

2 2 Introduction What's my experience? –Not a procurement specialist –Information security, software, vendors, procurement projects Why am I talking to you? –Describe procurement role in software security

3 3 Agenda Problem statement –Insecure applications –Procurement lever Procurement tools for security –RFP, contract Procurement scenarios –Considerations for different procurement types

4 4 What's the problem? Sea-change in “hacking” –Past: hobby hackers –Present: Internet crime wave –Future: cyber warfare Plus –poor programming practices –insecure, buggy applications Equals...

5 5 What's the solution? No one solution, but... Software vendor culture change –Better education –Better development practices –Shift from “release it now, fix it later” mentality

6 6 How can we help? Leverage market forces –Customer expectations We don't accept defective cars, why should we accept defective software? –Vendor competition –Exercise clout Incorporate software security requirements into procurement process

7 7 What do you mean by “requirements?” Secure development practices –Personnel Background checks Training –Development processes Secure coding Configuration management –Testing Source code Vulnerability testing –Maintenance Notification of updates Patch testing Tracking security issues

8 8 Procurement tools for better security RFP process Contract security language

9 9 Tools: RFP process Security requirements definition –Security features: be explicit –Vendor security practices Software development Software maintenance Security responsiveness –Which ones are mandatory and which ones are desirable? Compare responses

10 10 Vendor Security Practices Software development –Is security integrated into the SDLC? –What training do developers get? Software maintenance –Why and when are patches released? –How are customers notified? Security responsiveness –Proactive or reactive? –What mechanisms for bug reporting and response?

11 11 Tools: Contract Language Incorporates software security requirements into legal agreement Growing movement Requires clout Reinforced by regulations –Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)

12 12 Sample Language: New York State Sample application security procurement language –http://www.sans.org/appseccontract/ Covers all areas of software security responsibility Meeting resistance from software industry

13 13 Procurement Security Considerations Differ based on type of procurement –Software purchase Commercial Off-The-Shelf (COTS) Custom development –Outsourcing of services Not just software –Software as a service e.g. TurboTax Online Disclaimer: these lists are not exhaustive!

14 14 COTS Software Clout is key –Big markets: U.S. Government? Security requirements definition in RFP is important –Possible product differentiator Contract security language –Growing role Major vendors starting to “see the light”

15 15 Custom Software Software security and vendor requirements need to be specific and detailed Education may be necessary Possible vendor differentiator Ongoing patching and support is important

16 16 Outsourcing Services and hosting as well as software Define security goals and policies Ensure outsourcing maintains the same level of compliance Beware of sub-outsourcing

17 17 Software as a service Who controls the data? Is security adequate for all types of data? –Map to data classification Ensure service maintains compliance with policies and security goals Don't forget e-Discovery

18 18 Challenges Procurement complexity Lack of expertise Vendor resistance Software cost

19 19 Summary Trend pushing security responsibility toward software vendors We will see more of: –Detailed security practices specified in RFPs –Security practices agreement in contracts

20 20 Further Reading NY sample procurement contract language – http://www.sans.org/appseccontract/ OWASP Secure Software Contract Annex –https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements –http://www.bits.org/downloads/Publications Page/bitssummittoolkit.pdf This presentation is available under “Presentations” on the ESO website: –http://www.oregon.gov/DAS/EISPD/ESO/Pub.shtml

Download ppt "Software Security and Procurement John Ritchie, DAS Enterprise Security Office."

Similar presentations

Extending the Value of e-Procurement to Contingency Staffing

Extending the Value of e-Procurement to Contingency Staffing
3rd meeting COTS team April 25, 2007, Helsinki

3rd meeting COTS team April 25, 2007, Helsinki
Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.

Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.
State of Maine Office of the CIO THERE ARE NO BOUNDAIRES TO WHAT WE CAN ACCOMPLISH WITH TECHNOLOGY, WHEN THERE ARE NO BARRIERS TO BLOCK OUR ACCESS.

State of Maine Office of the CIO THERE ARE NO BOUNDAIRES TO WHAT WE CAN ACCOMPLISH WITH TECHNOLOGY, WHEN THERE ARE NO BARRIERS TO BLOCK OUR ACCESS.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
More CMM Part Two : Details.

More CMM Part Two : Details.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 11 METHODOLOGIES FOR PURCHASED.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 11 METHODOLOGIES FOR PURCHASED.
Advancing Government through Collaboration, Education and Action Cloud Computing Working Group Stacy Cleveland, Chair.

Advancing Government through Collaboration, Education and Action Cloud Computing Working Group Stacy Cleveland, Chair.
Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.

Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.
© Prentice Hall 2002 10.1 CHAPTER 10 Alternative Approach: Purchasing Systems.

© Prentice Hall CHAPTER 10 Alternative Approach: Purchasing Systems.
High Tech Executive Discussion New Industry Solutions to Shape Your Future Rosh Dawes, Equinix Joseph Ahn: Principal Consultant, Samsung SDS Jaechul Lee:

High Tech Executive Discussion New Industry Solutions to Shape Your Future Rosh Dawes, Equinix Joseph Ahn: Principal Consultant, Samsung SDS Jaechul Lee:
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
The Purchasing Process

The Purchasing Process
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Similar presentations

Ads by Google