Build Security Criteria into Contracts (Purchase and Outsourcing)

Given the relatively recent shift of the security threat environment to attacking software, most contracts in use today do not provide adequate protections for enterprises from a security breach resulting from vulnerabilities embedded in third party software. Historically, enterprises have relied on expensive “on-premise” vendor visits to conduct audits of security policies and software development practices. Typically, this process is based on opinion and even some elements of “self-verification” by the vendor demonstrating that “minimum due care” has been taken during the software development process. Enterprises have awakened to the fact that a deeper level of security verification is required given the material adverse consequences of faulty software in Toyota, Chinese attack on Google or the fact that the last few major security breaches all occurred in PCI Certified enterprises. The RFP and subsequent contracting process is the best place to begin “baking-in” security in a formal way with your supplier and vendor community.

In most cases, application development outsourcers and independent software companies will provide enterprises with standard contracts to be used. Historically, such contracts have absolved the supplier of software or development services completely from liability associated with security breaches or have standard information in the contract that generically refers to the delivery of secure software with no definition of what that means. RFPs and software contracts usually emphasize features, quality, costs, vendor viability and preferred status as the core criteria for selection. Vendor Management and Procurement Professionals must be proactive in creating demand for secure software by moving to a secure procurement governance model that institutionalizes security into the software procurement process, including vendor selection and contract negotiation. Vendor management should require that all commercial software be independently tested for security vulnerabilities by embedding security requirements into both the RFP and purchasing contract.

The emergence of a set of industry-based standards such as CWE and CVSS make it easy for Procurement Professionals to set security thresholds that are intuitive, understandable and practical for both the enterprise and vendor to agree upon without requiring source code or putting the vendor’s intellectual property at risk.

Historically, such third party independent security audits have been expensive, time consuming and incomplete given that it was not affordable to assess the application in its entirety. Fortunately, however, Veracode’s patented innovation of performing cloud-based security audits on the final integrated application binary removes these burdens for both the enterprise and the vendor.