If government is unwilling or unable to put decent laws or regulations in place, then contracting is the way to get the rights and responsibilities assigned sanely. I think Ounce is on the exact right track here.
If you're interested in software contracting and security, you might like an article I wrote at OWASP -- http://www.owasp.org/columns/jwilliams/jwilliams4.html. At the very end is a link to the GE Code Integrity Warranty which is a good example. Well, a good example of one end of the spectrum anyway. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 07, 2004 4:07 PM Subject: [SC-L] Government Computer News (GCN) -- Contract addendum could enforce software security > Another FYI today... I saw an interesting article in GCN (via a link from > LinuxSecurity.com) regarding an announcement from the folks at Ounce Labs. > The article (which is at http://www.gcn.com/23_26/product-briefs/27167-1.html > for those interested) states, "Ounce Labs has published sample contract > language for software development that sets specific security standards and > requires a security audit of the source code. The language frees the buyer > from having to pay for software that does not meet the standards." > > Anyone here familiar with any organizations that have adopted Ounce Labs' > contract verbiage -- or something conceptually similar to it? > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com
