Software Security and Procurement John Ritchie, DAS Enterprise Security Office - PowerPoint PPT Presentation

Loading...

PPT – Software Security and Procurement John Ritchie, DAS Enterprise Security Office PowerPoint presentation | free to view - id: 75b3-MmZjM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Software Security and Procurement John Ritchie, DAS Enterprise Security Office

Description:

Information security, software, vendors, procurement projects. Why am I talking to you? ... Incorporate software security requirements into procurement process ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 21
Provided by: ore4
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Software Security and Procurement John Ritchie, DAS Enterprise Security Office


1
Software Security and Procurement John Ritchie,
DAS Enterprise Security Office
2
Introduction
  • What's my experience?
  • Not a procurement specialist
  • Information security, software, vendors,
    procurement projects
  • Why am I talking to you?
  • Describe procurement role in software security

3
Agenda
  • Problem statement
  • Insecure applications
  • Procurement lever
  • Procurement tools for security
  • RFP, contract
  • Procurement scenarios
  • Considerations for different procurement types

4
What's the problem?
  • Sea-change in hacking
  • Past hobby hackers
  • Present Internet crime wave
  • Future cyber warfare
  • Plus
  • poor programming practices
  • insecure, buggy applications
  • Equals...

5
What's the solution?
  • No one solution, but...
  • Software vendor culture change
  • Better education
  • Better development practices
  • Shift from release it now, fix it later
    mentality

6
How can we help?
  • Leverage market forces
  • Customer expectations
  • We don't accept defective cars, why should we
    accept defective software?
  • Vendor competition
  • Exercise clout
  • Incorporate software security requirements into
    procurement process

7
What do you mean by requirements?
  • Secure development practices
  • Personnel
  • Background checks
  • Training
  • Development processes
  • Secure coding
  • Configuration management
  • Testing
  • Source code
  • Vulnerability testing
  • Maintenance
  • Notification of updates
  • Patch testing
  • Tracking security issues

8
Procurement tools for better security
  • RFP process
  • Contract security language

9
Tools RFP process
  • Security requirements definition
  • Security features be explicit
  • Vendor security practices
  • Software development
  • Software maintenance
  • Security responsiveness
  • Which ones are mandatory and which ones are
    desirable?
  • Compare responses

10
Vendor Security Practices
  • Software development
  • Is security integrated into the SDLC?
  • What training do developers get?
  • Software maintenance
  • Why and when are patches released?
  • How are customers notified?
  • Security responsiveness
  • Proactive or reactive?
  • What mechanisms for bug reporting and response?

11
Tools Contract Language
  • Incorporates software security requirements into
    legal agreement
  • Growing movement
  • Requires clout
  • Reinforced by regulations
  • Payment Card Industry (PCI), Oregon Consumer
    Identity Theft Prevention Act (OCITPA)

12
Sample Language New York State
  • Sample application security procurement language
  • http//www.sans.org/appseccontract/
  • Covers all areas of software security
    responsibility
  • Meeting resistance from software industry

13
Procurement Security Considerations
  • Differ based on type of procurement
  • Software purchase
  • Commercial Off-The-Shelf (COTS)
  • Custom development
  • Outsourcing of services
  • Not just software
  • Software as a service
  • e.g. TurboTax Online
  • Disclaimer these lists are not exhaustive!

14
COTS Software
  • Clout is key
  • Big markets U.S. Government?
  • Security requirements definition in RFP is
    important
  • Possible product differentiator
  • Contract security language
  • Growing role
  • Major vendors starting to see the light

15
Custom Software
  • Software security and vendor requirements need to
    be specific and detailed
  • Education may be necessary
  • Possible vendor differentiator
  • Ongoing patching and support is important

16
Outsourcing
  • Services and hosting as well as software
  • Define security goals and policies
  • Ensure outsourcing maintains the same level of
    compliance
  • Beware of sub-outsourcing

17
Software as a service
  • Who controls the data?
  • Is security adequate for all types of data?
  • Map to data classification
  • Ensure service maintains compliance with policies
    and security goals
  • Don't forget e-Discovery

18
Challenges
  • Procurement complexity
  • Lack of expertise
  • Vendor resistance
  • Software cost

19
Summary
  • Trend pushing security responsibility toward
    software vendors
  • We will see more of
  • Detailed security practices specified in RFPs
  • Security practices agreement in contracts

20
Further Reading
  • NY sample procurement contract language
  • http//www.sans.org/appseccontract/
  • OWASP Secure Software Contract Annex
  • https//www.owasp.org/index.php/OWASP_Secure_Softw
    are_Contract_Annex
  • BITS Financial Services Roundtable Software
    Security Toolkit includes sample procurement
    language and sample business requirements
  • http//www.bits.org/downloads/Publications
    Page/bitssummittoolkit.pdf
  • This presentation is available under
    Presentations on the ESO website
  • http//www.oregon.gov/DAS/EISPD/ESO/Pub.shtml
About PowerShow.com