Contract addendum could enforce software security
- By William Jackson
- Sep 03, 2004
The maker of a software security analysis tool is promoting quality assurance for outsourced code development.
'We're going to help drive new behavior,' said Jack Danahy, president and CEO of Ounce Labs Inc. of Waltham, Mass.
Ounce Labs has published sample contract language for software development that sets specific security standards and requires a security audit of the source code. The language frees the buyer from having to pay for software that does not meet the standards.
Danahy made no bones about the fact that adoption of the contract language could expand the market for his company's flagship analysis tool, Prexis. But outsiders, including at least one government IT administrator, also welcome the contract addendum.
'It is incredibly significant,' said Jamie Gateau, director of technology innovation for the Naval Network and Space Operations Command in Dahlgren, Va.
Part of his job is overseeing software development, whether in-house or outsourced.
Gateau can control the work in house, he said, 'but when I'm dealing with contractors, we didn't have contract language to specify secure code. Now we finally have the beginnings of a language to talk about how we're going to hold people responsible for secure coding.'
The contract addendum, which requires free registration at www.ouncelabs.com/assurance/index.asp
, spells out:
- A security warranty with specific language for verifying absence of vulnerabilities
- A security audit by either automated or manual code analysis
- Teeth in the agreement, specifying that a customer has no obligation to accept or pay for software not verified as secure, although the developer must have a chance to remedy security flaws.
The document includes sample schedules of vulnerabilities considered unacceptable in C and C++ code and Web applications.
Although the addendum does not specify analysis tools, Danahy said he hopes Prexis will be selected. The engine uses what the company calls contextual analysis to examine relationships between individual calls, modules, data elements and processes.
Reporting modules can show results at varying levels of detail, with suggestions for fixes.
Prexis runs under Microsoft Windows XP Professional, 2000, and Server 2000 and 2003, with a 300-MHz or faster processor and at least 512M of memory. Version 2.0 examines C and C++ code. Danahy said the next version, available this summer, would cover the Java language.
Automated tools for software security audits are relatively new, but competition is beginning to develop. More products mean the market will grow, Danahy said, and standardizing security requirements would be a rising tide that lifts all boats.
Although the contract language is aimed at custom development, Danahy said, it eventually could change expectations and responsibility for shrink-wrapped software.
Despite software giant Microsoft Corp.'s trustworthy computing initiative, 'I have no way of making sure what they have written is secure,' he said.
The security requirements have not yet been included in any actual contracts. Although the addendum provides some boilerplate for development contracts, it is not a finished product.
'It's not all-inclusive and not intended to be,' he said. 'It's going to have to be a living document, never wholly complete.'
William Jackson is freelance writer and the author of the CyberEye blog.