The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) introduced the Application Development Security Procurement Language this month. Heralded as a "living document" by its authors, it is designed to complement the CWE/SANS Top 25 project, which identifies and prioritizes the programming errors most likely to cause security problems for software customers.
The draft procurement language document is intended specifically for custom code development rather than commercial off-the-shelf products. "While these provisions have been drafted for use in a contract for application development, similar language can be incorporated into other procurement documents, including requests for proposals and statements of work," the document said.
The document provides a template for custom software development contracts. It mandates background checks for software development personnel, adequate training for development teams, and the provision of a single senior information security specialist during the development process.
Vendors should provide written documentation showing proof of secure application development, and should conduct a peer review of all code before it is considered ready for testing, the template says. Written reports should be provided to the purchaser on any security issue identified during the application development lifecycle, and a plan should be established to transfer knowledge to the customer so that the application can be maintained in a production environment.
The template specifically singles out the 25 most dangerous programming errors as identified in the CWE/SANS project, mandating a threat assessment and analysis procedure that covers those flaws.
Other measures mandated by the contract template include identifying the tools used in the development process, along with a set of written secure coding guidelines, documentation of a source code control system, and disclosing all third-party software used in the application.
Not everyone was happy with the idea of tying the procurement language to a broad category of software bugs, however. "I think the idea of linking procurement language to a list of specific bugs as being touted by SANS is counterproductive and silly," argued Gary McGraw, CEO of application security company Cigital. "Based on my experience as an expert in litigation, my prediction is that there will be zero lawsuits based on this notion and that this list will do nothing to provide safe harbor in the case of insecure software."