Difference between revisions of "How to specify verification requirements in contracts"

From OWASP
Jump to: navigation, search
(New page: If you are specifying web application security verification requirements in contracts, you can use the OWASP ASVS to do so. … The author of this article can be reached at boberski_mich...)
 
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
If you are specifying web application security verification requirements in contracts, you can use the OWASP ASVS to do so.
+
If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard]] (ASVS) to do so. One approach is to start with the [[OWASP Secure Software Contract Annex]]. The Annex helps software buyers and vendors discuss security and capture the important terms.  
  
 
  
The author of this article can be reached at boberski_michael(at)bah.com
+
'''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.'''
 +
 
 +
 
 +
The contract annex and this article have been place in the public domain to facilitate use in private contracts. The [[OWASP Secure Software Contract Annex]] has been updated to make use of the [[OWASP Application Security Verification Standard]] as follows:
 +
 +
 +
''9(e) Security Analysis and Testing.'' Developer will perform
 +
application security analysis and testing (also called
 +
"verification") according to the verification requirements of
 +
an agreed-upon standard (such as the OWASP ASVS). The
 +
Developer shall document verification findings according to
 +
the reporting requirements of the standard. The Developer
 +
shall provide the verification findings to Client.
 +
 
  
Good luck!
 
  
 
[[Category:OWASP Application Security Verification Standard Project]]
 
[[Category:OWASP Application Security Verification Standard Project]]
 
[[Category:OWASP Legal Project]]
 
[[Category:OWASP Legal Project]]
 
+
[[Category:How To]]
{{Stub}}
+

Latest revision as of 23:45, 7 February 2009

If you are specifying web application security verification requirements in contracts, you can use the OWASP Application Security Verification Standard (ASVS) to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms.


Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.


The contract annex and this article have been place in the public domain to facilitate use in private contracts. The OWASP Secure Software Contract Annex has been updated to make use of the OWASP Application Security Verification Standard as follows:


9(e) Security Analysis and Testing. Developer will perform 
application security analysis and testing (also called 
"verification") according to the verification requirements of 
an agreed-upon standard (such as the OWASP ASVS). The 
Developer shall document verification findings according to 
the reporting requirements of the standard. The Developer 
shall provide the verification findings to Client.