Sunday, February 04, 2007
Vendor Relationship Management and Building Security In...
- If I woke up one day, and found myself in control of this, here is what I would want:
- Contracts should allow for the enterprise to test software in any way it chooses. A lot of software licenses currently may not allow that.
- Mandate third party testing and the ability to see the outcome of those tests. You may not get access to the whole report, but there should be enough there to make a genuine assessment of how the vendor thinks about security. Sophisticated enterprises even have lists of approved vendors that they will accept testing results from.
- Language about how the vendor will ensure no backdoors or other forms of malicious code are in the application. It is a good starting point, and makes sure that someone on their side is at least thinking about it.
- SLAs around response times for vulnerabilities.
- Each vendor should describe their secure software development process
- Each party should figure out a way to "score" security considerations in a transparent way and measure trajectory in that they must upon each release of software minimally do no harm but ideally cause improvement over time. Releases where the trajectory is in the wrong direction, should have some penalty associated with it.
- If vendors of proprietary closed source software aren't timely in fixing security related bugs, then enterprises should be able to invoke a software escrow clause where they get full access to source code to fix it themselves.
- Industry analysts should demonstrate that they are asking the proper security questions whenever they are putting folks into leaders categories. Non-functional attributes are equally important.
- Consider naming in an agreement which industry standards bodies the vendor should participate in.
The folks who blog about secure software development practices tend to focus on tools with the conversation starting with how much lift they can provide. I frequently run across folks from SPI Dynamics, Ouncelabs, Fortify Software, LogLogic and others whom tell us about their value proposition but haven't yet taken a step to help others procure secure software. Doc Searls even frequently talks about vendor relationship management but ignores the dimension of putting things into contracts to ensure that the proper relationships can be created.
Relationship does require an agreement, sometimes even written down on paper. When I married my wife, we formed a convenant at a spiritual level while also forming a contract better known as a marriage license at a phsyical level. It would seem to me that in order for security to get better, the following themes need to be represented in writing:
Anyway, it would be incredibly interesting if Matt Asay could tell us why Alfresco is more secure than his closed source counterparts in the ECM space in the same way that Ishmael Ghalimi could do the same in the BPM space in an upcoming blog entry of theirs...