The Software Assurance (SwA) Acquisition and Outsourcing working group is composed of members from industry, government, and academia. Its mission is to inform acquirers about risks in the software supply chain and how to incorporate software assurance considerations in decisions associated with procuring software or acquiring and outsourcing software products and services. The objective is to apply a risk-based approach when acquiring, purchasing, or outsourcing software and related services so that software is more resistant to attack, has fewer exploitable vulnerabilities, and minimizes operational risks.
Those making procurement and acquisitions decisions should understand the potential risks from the software supply chain, and this requires an understanding of the potential paths software can take before it is acquired and put into use. Each organization in the supply chain path has an influence on the security or exploitability of the software. Knowing who produced the software and being able to determine if they use security-aware practices in producing software can provide the requisite transparency for informed risk-based decision making in purchasing software or contracting for software services.
The objective is for acquirers to apply a risk-based approach to software acquisition and purchase software that is more resistant to attack, has fewer vulnerabilities, and minimizes operational risks to the greatest extent possible.
Acquisition officials should be able to
- understand the importance of integrating SwA practices within the software acquisition life cycle
- contractually capture SwA factors critical to the success of the acquisition and deployment of the application
- recognize risks that can be avoided or minimized
- implement security practices to be adopted by acquisition personnel
The WG wants to publish, disseminate, and socialize guidance that helps acquisition officials meet the above object.
Recent Releases and Updates
The March/April issue of CrossTalk, sponsored by the DHS Office of Cybersecurity and Communications (CS&C), includes the article"Supply Chain Risk Management: Understanding Vulnerabilities in Code You Buy, Build, or Integrate." The work discussed in the article is sponsored by the CS&C Software Assurance Program.
OWASP RFP-Criteria is an OWASP project that seeks to provide an objective list and aggregate set of questions for companies to utilize when they issue an RFP for web application security verification. Question subjects range from “Company Background” and “Scope” to more security-centric subjects such as “Application Security Verification Methodology” and “Risk Evaluation.” For more information see http://www.owasp.org/index.php/OWASP_RFP-Criteria.
Effective Software Security Management by Dharmesh Mehta is freely available at http://www.owasp.org/images/2/28/Effective_Software_Security_Management.pdf. This white paper discusses practical, flexible, and understandable approaches to aligning application security in SDLC. The white paper goes through each stage of the SDLC, from initiation to maintenance, and gives a high-level overview of what measures can be taken at each phase to increase the security of software.
Two Software Assurance Pocket Guides related to software acquisition, "Contract Language For Secure Software" and "Software Supply Chain Risk Management and Due Diligence," have been posted on the SwA Resources page.
A number of new resources have been added to the Acquisition and Outsourcing Working Group Resources page.
Software Assurance in Acquisition: Mitigating Risks to the Enterprise is freely available for use on this working group’s Activities page. It offers due-diligence questionnaires and sample language for request for proposals and contract terms and conditions. Since it was co-developed with representatives from the Information Resources Management College (IRMC), it has also been published as an occasional paper through the National Defense University Press.
Application Security Procurement Language is freely available at http://www.sans.org/appseccontract/. These guidelines incorporate substantial language from the OWASP Secure Software Contract Annex, which is freely available at https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex. These provide a resource to help enable buyers of custom software to more explicitly focus on the responsibilities of code writers for checking the code and for fixing security flaws before software is delivered. The sample procurement language offers General provisions that address personnel, Security Training, Background Checks of Developers, Vulnerabilities, Risks and Threats, and Application Development. It provides procurement language to address the DEVELOPMENT ENVIRONMENT: Secure Coding, Configuration Management, Distribution, Disclosure, and Evaluation. It offers sample procurement language to cover TESTING: test planning, source code reviews, as well as vulnerability and penetration tests. The sample procurement language provides provisions for addressing Patches and Updates, along with notification and testing of those modifications to the software. It has provisions for Tracking Security Issues. It has provisions for a vendor to self-certify and provide a “certification package” that establishes the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately. Its provisions include specifying that the developer is to warrant that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. It offers procurement language for how security issues will be investigated.
To learn more about the Software Assurance Acquisition and Outsourcing Working Group, contact the working group co-chairs at software.assurance [at] dhs.gov. We are especially interested in feedback on use of the Software Assurance in Acquisition: Mitigating Risks to the Enterprise document.
To join the Software Assurance Acquisition and Outsourcing Working Group, see the instructions for joining a working group.
If you or your organization would like to support, speak or contribute to, or otherwise interact with the working group or benefit from its efforts, contact software.assurance [at] dhs.gov.