David A. Wheeler's Blog

Wed, 23 Feb 2005

OWASP Legal Project - Secure Software Development Contract Annex

The Open Web Application Security Project (OWASP) Legal Project has just announced the “Secure Software Development Contract Annex”. This is basically a starting point for a contract to do software development; it tries to spell out exactly what’s required so that the results are secure.

I didn’t develop this text, but I’m glad to see that some people are working on it. In the contracting world, if you don’t specifically ask for it, you don’t get it. Since most contracts today don’t specifically say that a secure result is needed (and what that means), currently the person paying for the software isn’t getting a secure product. Hopefully this sort of thing will solve the problem.

Personally, I think this is a “first draft”; there are things I’d like to see made more specific. For example, I think it should clearly state that in the development environment it should be possible to determine specifically, by name, who wrote any given line of code. And there are many other issues (like automated examination of code) that aren’t covered. In particular, there are many more common vulnerabilities than the top ten list of OWASP. But this is a very interesting and encouraging first start, and I’m glad to see it.

path: /security | Current Weblog | permanent link to this entry