Steven, There are more than several managers of application security programs for F-100 companies that have written security requirements into their SLA's with outsourced development firms. One example uses application penetration testing and vulnerability assessment findings to enforce SLA requirements. Some companies employ an entire team of people to perform both whitebox and blackbox testing in addition to external/3rd-party assessments.
And as you later state, security requirements should be written into the functional requirements, and not handed off in its own category or as some appendix document. -Marcin tssci-security.com On Mon, Dec 1, 2008 at 9:59 AM, Herman Stevens <[EMAIL PROTECTED]> wrote: > I tend to disagree with your statement that security requirements should be > part of contractual agreements or added to a purchase order. In the Real > World (™ ☺) this does not work. Once signed, contracts are never looked at > again, unless the shit hits the fan and someone must be blamed for something > that went wrong. Development teams (which is a lot broader than the term > developers) _never_ read contracts or look at purchase orders. > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
