Fair warning.
Dear Vendors:
Just so you know, if you draw up a contract with me, I will insist on the following:
Remediation of existing security vulnerabilities is considered to be maintenance, not enhancement or new functionality.
Let’s not have any misunderstandings here. If you write bugs into your code, I don’t care how long it is before they’re discovered or exploited; they were there from the beginning and you need to fix them. At your expense, not mine. Just because nobody ever mentioned security before doesn’t mean it’s “new functionality.“ Having a secure product is not an “enhancement.“ We will treat security vulnerabilities just like we would treat any other flaw in your software.
Also, you are responsible for testing your code for security vulnerabilities just as you are responsible for any other types of QA (unit testing, load testing, whatever). It’s tempting to rely on my team to do all the security testing for you, because hey, we’re better at it, but that doesn’t absolve you of your responsibility to give us a quality product. Get some security expertise of your own and get to work.
This has been a public service announcement from Annoyed ISOs International.
Posted by shrdlu on Friday, April 13, 2007(0) Comments • Permalink •
