OWASP Secure Software Contract Annex - Revision history

Thomas Herlea: /* ABOUT THE PROJECT */ Fixed broken link to OWASP_Legal_Project

2016-03-02T08:34:23Z

‎ABOUT THE PROJECT: Fixed broken link to OWASP_Legal_Project

Achim: identify as Category:OWASP Secure Software Contract Annex

2015-04-14T11:45:31Z

identify as Category:OWASP Secure Software Contract Annex

Achim: Category:OWASP Secure Software Contract Annex added

2015-04-14T10:47:26Z

Category:OWASP Secure Software Contract Annex added

Jeff Williams at 01:15, 20 April 2009

2009-04-20T01:15:23Z

Deleted user at 12:11, 20 March 2009

2009-03-20T12:11:58Z

Deleted user: Updated to allow for use of ESAPI

2009-03-20T12:11:10Z

Updated to allow for use of ESAPI

Deleted user: /* 3. LIFECYCLE ACTIVITIES */

2009-01-22T19:24:00Z

‎3. LIFECYCLE ACTIVITIES

Deleted user: /* 3. LIFECYCLE ACTIVITIES */ update to allow ASVS

2009-01-22T19:01:46Z

‎3. LIFECYCLE ACTIVITIES: update to allow ASVS

Jeff Williams at 20:15, 30 June 2008

2008-06-30T20:15:05Z

OWASP: /* ABOUT THE PROJECT */

2006-11-30T15:37:48Z

‎ABOUT THE PROJECT

@@ Line 22: / Line 22: @@
 ==ABOUT THE PROJECT==
-This document was created by The Open Web Application Security Project (OWASP) Foundation, a not-for-profit charitable organization dedicated to creating free and open tools and documentation related to secure software. To facilitate easy use in private contracting, this document is offered under the CC Share Alike 3.0 license. You may modify and use as you see fit. You can find additional details about this project at http://www.owasp.com/index.php/OWASP_Legal_Project. We welcome comment from both producers and consumers of software, as well as the legal community.
+This document was created by The Open Web Application Security Project (OWASP) Foundation, a not-for-profit charitable organization dedicated to creating free and open tools and documentation related to secure software. To facilitate easy use in private contracting, this document is offered under the CC Share Alike 3.0 license. You may modify and use as you see fit. You can find additional details about this project at http://www.owasp.org/index.php/OWASP_Legal_Project. We welcome comment from both producers and consumers of software, as well as the legal community.
 OWASP gratefully acknowledges the special contribution from [http://www.aspectsecurity.com Aspect Security] for their role in the research and preparation of this document.

← Older revision		Revision as of 11:45, 14 April 2015
Line 1:		Line 1:
		+	[[Category:OWASP Secure Software Contract Annex]]
		+
	'''SECURE SOFTWARE DEVELOPMENT CONTRACT ANNEX'''		'''SECURE SOFTWARE DEVELOPMENT CONTRACT ANNEX'''

← Older revision		Revision as of 10:47, 14 April 2015
Line 194:		Line 194:

	[[Category:OWASP Legal Project]]		[[Category:OWASP Legal Project]]
		+	[[Category:OWASP Secure Software Contract Annex]]

	__NOTOC__		__NOTOC__

@@ Line 20: / Line 20: @@
 ==ABOUT THE PROJECT==
-This document was created by The Open Web Application Security Project (OWASP) Foundation, a not-for-profit charitable organization dedicated to creating free and open tools and documentation related to secure software. To facilitate easy use in private contracting, this document is placed in the public domain. You can find additional details about this project at http://www.owasp.com/index.php/OWASP_Legal_Project. We welcome comment from both producers and consumers of software, as well as the legal community.
+This document was created by The Open Web Application Security Project (OWASP) Foundation, a not-for-profit charitable organization dedicated to creating free and open tools and documentation related to secure software. To facilitate easy use in private contracting, this document is offered under the CC Share Alike 3.0 license. You may modify and use as you see fit. You can find additional details about this project at http://www.owasp.com/index.php/OWASP_Legal_Project. We welcome comment from both producers and consumers of software, as well as the legal community.
 OWASP gratefully acknowledges the special contribution from [http://www.aspectsecurity.com Aspect Security] for their role in the research and preparation of this document.

@@ Line 105: / Line 105: @@
 ;(c) Design : Developer agrees to provide documentation that clearly explains the design for achieving each of the security requirements. In most cases, this documentation will describe security mechanisms, where the mechanisms fit into the architecture, and all relevant design patterns to ensure their proper use. The design should clearly specify whether the support comes from custom software, third party software, or the platform.
-;(d) Implementation : Developer agrees to provide and follow a set of secure coding guidelines and to use a set of common security control programming interfaces (such as the [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]). Guidelines will indicate how code should be formatted, structured, and commented. Common security control programming interfaces will define how security controls must be called and how security controls shall function. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.
+;(d) Implementation : Developer agrees to provide and follow a set of secure coding guidelines and to use a set of common security control programming interfaces (such as the [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP Enterprise Security API (ESAPI)]). Guidelines will indicate how code should be formatted, structured, and commented. Common security control programming interfaces will define how security controls must be called and how security controls shall function. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.
 ;(e) Security Analysis and Testing : Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard (such as the [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard (ASVS)]). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.

@@ Line 107: / Line 107: @@
 ;(d) Implementation : Developer agrees to provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.
-;(e) Security Analysis and Testing : Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard (such as the [[OWASP Application Security Verification Standard]]). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.
+;(e) Security Analysis and Testing : Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard (such as the [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard (ASVS)]). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.
 ;(f) Secure Deployment : Developer agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.

@@ Line 165: / Line 165: @@
 ;(c) Scope of Review : At a minimum, the review shall cover all of the security requirements and should search for other common vulnerabilities. The review may include a combination of vulnerability scanning, penetration testing, static analysis of the source code, and expert code review.
-;(d) Issues Discovered : Security issues uncovered will be reported to both Client and Developer. All issues will be tracked and remediated as specified in the Security Issue Tracking section of this Annex.
+;(d) Issues Discovered : Security issues uncovered will be reported to both Client and Developer. All issues will be tracked and remediated as specified in the Security Issue Management section of this Annex.
 ===9. SECURITY ISSUE MANAGEMENT===