[SC-L] How Can You Tell It Is Written Securely?

Jim Manico jim at manico.net
Thu Nov 27 16:38:23 EST 2008 

>  OK.  So you decide to outsource your programming assignment to Asia
and demand that they deliver code that is so locked down that it cannot
misbehave.  How can you tell that what they deliver is truly locked
down?  Will you wait until it gets hacked?  What simple yet thorough
inspection process is there that'll do the job?  Doesn't exist, does it?

This most important thing you can do is provide very specific security
requirements as part of your vendor contract BEFORE you hire a vendor -
and the process of building these security requirements might call for
bringing in a security consultant if you do not have the expertise in-shop.

Requirements that allow a vendor to actually provide security are line
items like (assuming its a web app):

"Provide input validation for every piece of user data. Do so by mapping
every unique piece of user data  to a regular expression that is placed
inside a configuration file."
"Provide CSRF protection by creating and enforcing a form nonce for
every user session"

After you build this list for your company, it should provide you with a
core list of security requirements that you can add to any PO.

- Jim

>  
>  
> MARK ROCKMAN
> MDRSESCO LLC 
> ------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>   


-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20081127/acd2fe6a/attachment.html

More information about the SC-L mailing list