This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix I

Revision as of 23:30, 19 December 2009 by Walter Houser (talk | contribs) (APPENDIX I SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS)

Jump to: navigation, search



Software Assurance in Acquisition: Mitigating Risks to the Enterprise "... provides information on how to incorporate SwA considerations in key decisions and how to exercise due diligence throughout the acquisition process relative to potential risk exposures that could be introduced by the supply chain." [1]

"Application Security Procurement Language is freely available at [2]. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at [3]. These ... enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language offers General provisions that address personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development. It provides procurement language to address the DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation. It offers sample procurement language to cover TESTING: test planning, source code reviews, as well as vulnerability and penetration tests. The sample procurement language provides provisions for addressing Patches and Updates, along with notification and testing of those modifications to the software. It has provisions for Tracking Security Issues. It has provisions for a vendor to self-certify and provide a “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated." Acquisition and Outsourcing Working Group

--Walter Houser 23:22, 19 December 2009 (UTC)