Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction What's my experience? Why am I talking to you?

Published byBernice Ball Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction What's my experience? Why am I talking to you?"— Presentation transcript:

1 Software Security and Procurement John Ritchie, DAS Enterprise Security Office

2 Introduction What's my experience? Why am I talking to you?
Not a procurement specialist Information security, software, vendors, procurement projects Why am I talking to you? Describe procurement role in software security

3 Agenda Problem statement Procurement tools for security
Insecure applications Procurement lever Procurement tools for security RFP, contract Procurement scenarios Considerations for different procurement types

4 What's the problem? Sea-change in “hacking” Plus Equals...
Past: hobby hackers Present: Internet crime wave Future: cyber warfare Plus poor programming practices insecure, buggy applications Equals...

5 What's the solution? No one solution, but...
Software vendor culture change Better education Better development practices Shift from “release it now, fix it later” mentality

6 How can we help? Leverage market forces
Customer expectations We don't accept defective cars, why should we accept defective software? Vendor competition Exercise clout Incorporate software security requirements into procurement process

7 What do you mean by “requirements?”
Secure development practices Personnel Background checks Training Development processes Secure coding Configuration management Testing Source code Vulnerability testing Maintenance Notification of updates Patch testing Tracking security issues

8 Procurement tools for better security
RFP process Contract security language

9 Tools: RFP process Security requirements definition Compare responses
Security features: be explicit Vendor security practices Software development Software maintenance Security responsiveness Which ones are mandatory and which ones are desirable? Compare responses

10 Vendor Security Practices
Software development Is security integrated into the SDLC? What training do developers get? Software maintenance Why and when are patches released? How are customers notified? Security responsiveness Proactive or reactive? What mechanisms for bug reporting and response?

11 Tools: Contract Language
Incorporates software security requirements into legal agreement Growing movement Requires clout Reinforced by regulations Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)

12 Sample Language: New York State
Sample application security procurement language Covers all areas of software security responsibility Meeting resistance from software industry

13 Procurement Security Considerations
Differ based on type of procurement Software purchase Commercial Off-The-Shelf (COTS) Custom development Outsourcing of services Not just software Software as a service e.g. TurboTax Online Disclaimer: these lists are not exhaustive!

14 COTS Software Clout is key
Big markets: U.S. Government? Security requirements definition in RFP is important Possible product differentiator Contract security language Growing role Major vendors starting to “see the light”

15 Custom Software Software security and vendor requirements need to be specific and detailed Education may be necessary Possible vendor differentiator Ongoing patching and support is important

16 Outsourcing Services and hosting as well as software
Define security goals and policies Ensure outsourcing maintains the same level of compliance Beware of sub-outsourcing

17 Software as a service Who controls the data?
Is security adequate for all types of data? Map to data classification Ensure service maintains compliance with policies and security goals Don't forget e-Discovery

18 Challenges Procurement complexity Lack of expertise Vendor resistance
Software cost

19 Summary Trend pushing security responsibility toward software vendors
We will see more of: Detailed security practices specified in RFPs Security practices agreement in contracts

20 Further Reading NY sample procurement contract language
OWASP Secure Software Contract Annex BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements Page/bitssummittoolkit.pdf This presentation is available under “Presentations” on the ESO website:

Download ppt "Introduction What's my experience? Why am I talking to you?"

Similar presentations

Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.

Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.

Enterprise Content Management Pre-Proposal Conference for RFP No. ISD2006ECM-SS December 6, 2006 California Administrative Office of the Courts Information.
© Prentice Hall 2002 10.1 CHAPTER 10 Alternative Approach: Purchasing Systems.

© Prentice Hall CHAPTER 10 Alternative Approach: Purchasing Systems.
High Tech Executive Discussion New Industry Solutions to Shape Your Future Rosh Dawes, Equinix Joseph Ahn: Principal Consultant, Samsung SDS Jaechul Lee:

High Tech Executive Discussion New Industry Solutions to Shape Your Future Rosh Dawes, Equinix Joseph Ahn: Principal Consultant, Samsung SDS Jaechul Lee:
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Management Information Systems, 4 th Edition 1 Chapter 16 Alternative Avenues for Systems Acquisitions.

Management Information Systems, 4 th Edition 1 Chapter 16 Alternative Avenues for Systems Acquisitions.
Software Security and Procurement John Ritchie, DAS Enterprise Security Office.

Software Security and Procurement John Ritchie, DAS Enterprise Security Office.
Treasury Systems Custom Developed/ Bespoke Application Software Versus Commercially available Off The Shelf (COTS) Software A. Hashim Treasury Systems.

Treasury Systems Custom Developed/ Bespoke Application Software Versus Commercially available Off The Shelf (COTS) Software A. Hashim Treasury Systems.
SDLC Phase 2: Selection Dania Bilal IS 582 Spring 2009.

SDLC Phase 2: Selection Dania Bilal IS 582 Spring 2009.
IT Service Delivery And Support Week Five IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.

IT Service Delivery And Support Week Five IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
Introduction to Software Quality Assurance (SQA)

Introduction to Software Quality Assurance (SQA)
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google