How to specify verification requirements in contracts

If you are specifying web application security verification requirements in contracts, you can use the OWASP Application Security Verification Standard (ASVS) to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms.

Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.

The contract annex and this article have been place in the public domain to facilitate use in private contracts. The OWASP Secure Software Contract Annex can be updated to make use of the OWASP Application Security Verification Standard as follows:

Simply, update 9(e) to read:

9(e) Security Analysis and Testing. Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of  an agreed-upon standard (such as the OWASP ASVS). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.