http://matasanochargen.disqus.com/enThu, 14 Jun 2007 00:31:09 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322772Tom:<br><br>We could start with a single question:<br><br>"Do you mandate any sort of security activity as part of your product development lifecycle?"<br><br>There's a follow-on, which is "please explain."<br><br>Since 90% of the vendors don't make it to the follow-on (yet), considerations of comparisons between explanations are secondary. But I'm happy to <a href="http://www.homeport.org/~adam/review.html" rel="nofollow">go there</a> at length.AdamThu, 14 Jun 2007 00:31:09 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322771I came across this when looking for something else:<br><a href="http://www.cigital.com/labs/reliability/certification.php" rel="nofollow">http://www.cigital.com/labs/reliability/certifi...</a>dreWed, 13 Jun 2007 18:12:33 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322770Adam: what's a short questionairre a security-savvy front-line developer could use to quiz a third-party partner, and reasonably expect to get a meaningful response on?Thomas PtacekWed, 13 Jun 2007 15:35:28 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322769What about asking about their development practices?AdamWed, 13 Jun 2007 12:15:48 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322768If you as a developer find a need to plug in one of a shortlist of open source projects to complete a task, consider that the larger and more responsive the project's community the:<br><br>A. More likely code audits will be done, and present vulns fixed.<br>B. The quicker any bugs from step A will be patched.<br>C. The more noise will be made about any vulns found in step A, so the more likely you will hear about them.Rhys KiddTue, 12 Jun 2007 08:38:45 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322767ahah good luck! now, seriously, what about all those that have embedded 3rd party libraries and don't disclose it (and some may not even _know_ they do). some plausible examples: zlib, libpng, xerces, openssl (or portions of it), multiple audio/video codecs, etc. Some of them may have been "namespace-cosmetized" and statically linked into the product just to get it out the door in time several release cycles (years) ago and now nobody even knows the code is there...implausible you say?ivanTue, 12 Jun 2007 02:19:22 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322766Here in the Middle East, I’ve seen vendors of certain Applications running really old versions of 3rd party software which are riddled with vulnerabilities. I get called in to conduct an application security assessment and I usually include these findings in addition to the application audit itself.<br> <br>The problem I see is when the customer has already selected the product and deployed it without proper guidance in the beginning. Richard makes a valid point that if it is a contractual obligation, then you’re covered to a certain extent, but how do you solve it after it has been put into place?<br><br>One of my customers has been waiting for a fix to a 3rd party product for over 6 months. In my case, it has taken countless extra days (at no cost) for me to sit with the vendor and try to explain why these patches need to be applied only to receive the response that the patches will break the functionality of the application. When I ask for technical proof of this or a demo in a staging environment, I never receive it. At this point, I offer the customer an addendum to my contract which lets me act on behalf of the customer to work out the problem technically with the vendor. In most cases, the customer will not want to spend the additional amount, will concede and take on the responsibility as an “acceptable risk”. These are banks. I don’t think people take security seriously here.SheranTue, 12 Jun 2007 01:49:29 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322765As a customer of vendors who embed 3rd party products and libraries, we're leaning towards requiring security patches for the 3rd party components be applied and an updated version of the package available to us within a short, reasonable interval. Eventually, a vendor's failure to provide such an assurance will be enough to kill their proposal.Richard JohnsonMon, 11 Jun 2007 19:40:47 -0000http://www.matasano.com/log/878/security-boat-anchors-3rd-party-productslibraries/#comment-2322764secure software contract annexes backed by open industry certifications/review (owasp, mitre, wasc, sans-ssi, et al)dreMon, 11 Jun 2007 17:05:37 -0000