Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix I - Revision history

Dan Philpott at 21:39, 24 December 2009

2009-12-24T21:39:23Z

Walter Houser at 23:10, 21 December 2009

2009-12-21T23:10:03Z

Walter Houser at 23:07, 21 December 2009

2009-12-21T23:07:47Z

Walter Houser at 23:05, 21 December 2009

2009-12-21T23:05:36Z

Walter Houser at 23:03, 21 December 2009

2009-12-21T23:03:48Z

Walter Houser at 23:02, 21 December 2009

2009-12-21T23:02:29Z

Walter Houser: /* APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS */

2009-12-21T22:48:02Z

‎APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS

Walter Houser at 23:38, 19 December 2009

2009-12-19T23:38:26Z

Walter Houser: /* APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS */

2009-12-19T23:37:15Z

‎APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS

Walter Houser: /* APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS */

2009-12-19T23:35:33Z

‎APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS

← Older revision		Revision as of 21:39, 24 December 2009
Line 4:		Line 4:

	PARTNERSHIPS, OUTSOURCING ARRANGEMENTS, SUPPLY CHAIN EXCHANGES		PARTNERSHIPS, OUTSOURCING ARRANGEMENTS, SUPPLY CHAIN EXCHANGES
		+
		+	For Appendix I, my major comment is that it did not seem to have covered issues with outsourced application development, which happens a lot. In this scenario, you could provide the service provider with your security requirements and standards. But you may have to rely on the service provider to choose and implement the security controls. It is probably necessary to conduct a review of the chosen security controls before they are implemented. And eventually, the steps of "assess security controls" and "authorize information systems" would need to be conducted by internal people. Furthermore, security code review need to be conducted if the service provider has development software code that is deemed critical from a security perspective. -William Zhang

	== APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS ==		== APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS ==

@@ Line 13: / Line 13: @@
 Software security enhanced due-diligence is a critical element of software supply chain risk management. Buyers and evaluators of software and services can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.
-[https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf
+[https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf Software Assurance in Acquisition: Mitigating Risks to the Enterprise] "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain."
 [http://www.sans.org/appseccontract/ Application Security Procurement Language]. These guidelines incorporate substantial language from the [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:

@@ Line 4: / Line 4: @@
 PARTNERSHIPS, OUTSOURCING ARRANGEMENTS, SUPPLY CHAIN EXCHANGES
 == APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS  ==
-[https://buildsecurityin.us-cert.gov/swa/downloads/ContractLanguage_ID_DH_090806.pdf Software Assurance in Acquisition and Contract Language PDF File] Version 1.1 July 31, 2009.
+[https://buildsecurityin.us-cert.gov/swa/downloads/ContractLanguage_ID_DH_090806.pdf Software Assurance in Acquisition and Contract Language] Version 1.1 July 31, 2009.
 Integrating software security in the acquisition life cycle promotes the acquisition of secure software. This version includes sample SwA Request for Proposal (RFP)/ Contract language. Buyers and evaluators of software and suppliers can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.
@@ Line 15: / Line 13: @@
 Software security enhanced due-diligence is a critical element of software supply chain risk management. Buyers and evaluators of software and services can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.
-Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]
+[https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf
 [http://www.sans.org/appseccontract/ Application Security Procurement Language]. These guidelines incorporate substantial language from the [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
@@ Line 25: / Line 24: @@
 *Tracking Security Issues. - vendor ... “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated."
-[https://buildsecurityin.us-cert.gov/swa/acqwg.html Acquisition and Outsourcing Working Group]
+See Software Assurance [https://buildsecurityin.us-cert.gov/swa/acqwg.html Acquisition and Outsourcing Working Group].
 <br>--[[User:Walter Houser|Walter Houser]] 23:22, 19 December 2009 (UTC)
 [[Category:GIC-NISTSP80037r1FPD]]

@@ Line 17: / Line 17: @@
 Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]
-"Application Security Procurement Language is freely available at [http://www.sans.org/appseccontract/]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
+[http://www.sans.org/appseccontract/ Application Security Procurement Language]. These guidelines incorporate substantial language from the [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
 *Personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development.

@@ Line 9: / Line 9: @@
 == APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS  ==
-[https://buildsecurityin.us-cert.gov/swa/downloads/ContractLanguage_ID_DH_090806.pdf Software Assurance in Acquisition and Contract Language PDF File]
+[https://buildsecurityin.us-cert.gov/swa/downloads/ContractLanguage_ID_DH_090806.pdf Software Assurance in Acquisition and Contract Language PDF File] Version 1.1 July 31, 2009.
-Version 1.1 July 31, 2009
+[https://buildsecurityin.us-cert.gov/swa/downloads/DueDiligenceMWV12_01AM090909.pdf Software Supply Chain Risk Management and Due Diligence] Version 1.2 June 16, 2009.
 Software security enhanced due-diligence is a critical element of software supply chain risk management. Buyers and evaluators of software and services can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.
 Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]

← Older revision		Revision as of 22:48, 21 December 2009
Line 8:		Line 8:

	== APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS ==		== APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS ==
		+
		+	Software Assurance in Acquisition and Contract Language
		+	Version 1.1 July 31, 2009
		+	Integrating software security in the acquisition life cycle promotes the acquisition of secure software. This version includes sample SwA Request for Proposal (RFP)/ Contract language. Buyers and evaluators of software and suppliers can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software. [https://buildsecurityin.us-cert.gov/swa/downloads/ContractLanguage_ID_DH_090806.pdf PDF File]
		+
		+	Software Supply Chain Risk Management and Due Diligence
		+	Version 1.2 June 16, 2009
		+	Software security enhanced due-diligence is a critical element of software supply chain risk management. Buyers and evaluators of software and services can gain security risk-based insight. They can put suppliers on notice that consumers are concerned about software security and the risks to their organizations that are attributable to exploitable software.
		+	[https://buildsecurityin.us-cert.gov/swa/downloads/DueDiligenceMWV12_01AM090909.pdf PDF File]

	Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]		Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]

@@ Line 7: / Line 7: @@
-==APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS ==
+== APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS  ==
-Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain."  [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]
+"Application Security Procurement Language is freely available at [http://www.sans.org/appseccontract/]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
-"Application Security Procurement Language is freely available at [http://www.sans.org/appseccontract/]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
+*personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development.
-- personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development.
+*DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation.
-- DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation.
+*TESTING: test planning, source code reviews, as well as vulnerability and penetration tests.
-- TESTING: test planning, source code reviews, as well as vulnerability and penetration tests.
+*Patches and Updates, along with notification and testing of those modifications to the software.
-- Patches and Updates, along with notification and testing of those modifications to the software.
+*Tracking Security Issues. - vendor ... “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated."
---[[User:Walter Houser|Walter Houser]] 23:22, 19 December 2009 (UTC)
+<br>--[[User:Walter Houser|Walter Houser]] 23:22, 19 December 2009 (UTC)
 [[Category:GIC-NISTSP80037r1FPD]]

← Older revision		Revision as of 23:35, 19 December 2009
Line 12:		Line 12:
	Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]		Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition_102208.pdf]

−	"Application Security Procurement Language is freely available at [http://www.sans.org/appseccontract/]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ~~offers General provisions that address~~ personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development. ~~It provides procurement language to address the~~ DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation. ~~It offers sample procurement language to cover~~ TESTING: test planning, source code reviews, as well as vulnerability and penetration tests. ~~The sample procurement language provides provisions for addressing~~ Patches and Updates, along with notification and testing of those modifications to the software. ~~It has provisions for~~ Tracking Security Issues. ~~It has provisions for a~~ vendor ~~to self-certify and provide a~~ “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated." [https://buildsecurityin.us-cert.gov/swa/acqwg.html Acquisition and Outsourcing Working Group]	+	"Application Security Procurement Language is freely available at [http://www.sans.org/appseccontract/]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language ... addresses:
		+	- personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development.
		+	- DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation.
		+	- TESTING: test planning, source code reviews, as well as vulnerability and penetration tests.
		+	- Patches and Updates, along with notification and testing of those modifications to the software.
		+	- Tracking Security Issues.
		+	- vendor ... “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated." [https://buildsecurityin.us-cert.gov/swa/acqwg.html Acquisition and Outsourcing Working Group]