Software Security and Procurement

John Ritchie, DAS Enterprise Security Office

2

Introduction

• What's my experience?– Not a procurement specialist– Information security, software,

vendors, procurement projects

• Why am I talking to you?– Describe procurement role in software

security

3

Agenda

• Problem statement– Insecure applications– Procurement lever

• Procurement tools for security– RFP, contract

• Procurement scenarios– Considerations for different

procurement types

4

What's the problem?

• Sea-change in “hacking”– Past: hobby hackers– Present: Internet crime wave– Future: cyber warfare

• Plus– poor programming practices– insecure, buggy applications

• Equals...

5

What's the solution?

• No one solution, but...• Software vendor culture change

– Better education– Better development practices– Shift from “release it now, fix it later”

mentality

6

How can we help?

• Leverage market forces– Customer expectations

• We don't accept defective cars, why should we accept defective software?

– Vendor competition– Exercise clout

• Incorporate software security requirements into procurement process

7

What do you mean by “requirements?”

• Secure development practices– Personnel

• Background checks• Training

– Development processes• Secure coding• Configuration management

– Testing• Source code• Vulnerability testing

– Maintenance• Notification of updates• Patch testing• Tracking security issues

8

Procurement tools for better security

• RFP process• Contract security language

9

Tools: RFP process

• Security requirements definition– Security features: be explicit– Vendor security practices

• Software development• Software maintenance• Security responsiveness

– Which ones are mandatory and which ones are desirable?

• Compare responses

10

Vendor Security Practices

• Software development– Is security integrated into the SDLC?– What training do developers get?

• Software maintenance– Why and when are patches released?– How are customers notified?

• Security responsiveness– Proactive or reactive?– What mechanisms for bug reporting and

response?

11

Tools: Contract Language

• Incorporates software security requirements into legal agreement

• Growing movement• Requires clout• Reinforced by regulations

– Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)

12

Sample Language: New York State

• Sample application security procurement language– http://www.sans.org/appseccontract/

• Covers all areas of software security responsibility

• Meeting resistance from software industry

13

Procurement Security Considerations

• Differ based on type of procurement– Software purchase

• Commercial Off-The-Shelf (COTS)• Custom development

– Outsourcing of services• Not just software

– Software as a service• e.g. TurboTax Online

• Disclaimer: these lists are not exhaustive!

14

COTS Software

• Clout is key– Big markets: U.S. Government?

• Security requirements definition in RFP is important– Possible product differentiator

• Contract security language– Growing role

• Major vendors starting to “see the light”

15

Custom Software

• Software security and vendor requirements need to be specific and detailed

• Education may be necessary• Possible vendor differentiator• Ongoing patching and support is

important

16

Outsourcing

• Services and hosting as well as software

• Define security goals and policies• Ensure outsourcing maintains the

same level of compliance• Beware of sub-outsourcing

17

Software as a service

• Who controls the data?

• Is security adequate for all types of data?– Map to data classification

• Ensure service maintains compliance with policies and security goals

• Don't forget e-Discovery

18

Challenges

• Procurement complexity• Lack of expertise• Vendor resistance• Software cost

19

Summary

• Trend pushing security responsibility toward software vendors

• We will see more of:– Detailed security practices specified in

RFPs– Security practices agreement in

contracts

20

Further Reading

• NY sample procurement contract language– http://www.sans.org/appseccontract/

• OWASP Secure Software Contract Annex– https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex

• BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements

– http://www.bits.org/downloads/Publications Page/bitssummittoolkit.pdf

• This presentation is available under “Presentations” on the ESO website:

– http://www.oregon.gov/DAS/EISPD/ESO/Pub.shtml