Practical InfoSec Part 1 - Contract Clauses for Outsourced development and Cloud Service Providers


Today most organisations outsource development of their applications to specialist vendors and also host their applications based on  requirements. Besides process and technical controls it is essential that certain legal controls are put in place. This is done by putting specific clauses in the contracts with these partners. I have included some sample contract clauses which can be used for inclusion in contracts 

Sample Clauses which can be included for contracts with Outsourced Software development 

Contractual requirements for secure design, coding and testing practices;
Service provider shall: a) ensure that secure coding practices are incorporated into all stages of an application development process, and that all developers are trained on secure application development regardless of the technology used for programming, b) document and implement a source code review process to ensure that each of the security requirements including the security standards, policies and best practices are followed, c) use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files, and d) use a build process that reliably builds a complete distribution from source and includes a method for verifying the integrity of the software delivered to Client. Service provider shall document in writing all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source and shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement.

Certification of the quality and accuracy of the work carried out;
Service provider shall have their software independently reviewed for security flaws and common software vulnerabilities, through an internal team or by an independent organization that specializes in application security, at their expense, prior to delivery to the Client. Security reviews shall cover all aspects of the software delivered, including third party components, and libraries. The review may include a combination of static analysis of the binary code, dynamic web application vulnerability scanning, and manual penetration testing. Service provider shall ensure that all issues reported are tracked and remediated. Reviews shall be conducted on the software to revalidate successful remediation of these issues prior to delivery of any new major or minor release to Client. By delivering the application, and any subsequent versions/modifications, Service Provider shall be deemed to have provided reasonable level of assurance about the application being free of malware at the time of sale, free of any obvious bugs, and free of any covert channels in the code.
                                                                                                                                                                                          
Service Provider shall proactively inform the Client of any unresolved security issues in the software, despite applying all commercially feasible efforts to fix them. Service Provider, in consultation with the Client, shall create a mutually agreed upon remediation roadmap to resolve all such identified security issues.

Escrow agreements, e.g. if source code is no longer available;
Within five(5) business days' after delivering the object code to client, service provider shall deposit one copy, on client's behalf, of the deliverable in source code with an escrow agent specializing in software escrows who the parties agree on in writing. If there is any updates, enhancements, or modifications to the software, service provider shall promptly deposit one copy, on client's behalf, of that update, enhancement, or modification, and any documentation related to the update, enhancement, or modification, to the escrow agent. Service provider hereby grants to client a contingent license to receive the source code from the escrow agent and to use the source code to support its use of the deliverable if service provider fails to fulfill its obligations to maintain the service as provided in this agreement, whether directly or through a successor or affiliate, ceases to be in the software business, becomes insolvent or admits insolvency or a general inability to pay its debts as they become due, files a petition for protection, or an involuntary petition is filed against it and is not dismissed within 60 Business Days, or comes under the control of a competitor of client.



Model Clauses 

Controls related to authentication, logging and monitoring, patch and configuration management, application security

Patch and Configuration management
The Cloud Service Provider shall ensure appropriate and timely action is taken to reduce risks resulting from exploitation of published technical vulnerabilities related to operating systems, applications, and network devices under its management. This shall include the maintenance of reasonably up-to-date software on all services, systems and devices under the scope of Services, including appropriate maintenance of operating systems(s) and successful installation of reasonably up-to-date security patches. Supplier must have procedures for patch management processes that promptly apply patches for all operating systems, applications and network devices in a consistent, standardized and prioritized manner based on criticality and risk. If a security patch cannot be promptly applied due to requirements for testing, then effective risk mitigation controls must be implemented until such time patches can be applied.

Access Control and Authentication
Cloud Service Provider shall determine appropriate access control rules, rights, and restrictions for each specific user’s roles towards their assets. Supplier shall maintain a record of security privileges of its personnel that have access to systems, networks, and network services. Supplier shall restrict and tightly control the use of utility programs that might be capable of overriding system and application controls. Supplier shall use industry standard practices to identify and authenticate users who attempt to access information systems (e.g., biometrics, multifactor authentication, length, character complexity, and/or non-repeatability). Supplier shall ensure that de-activated or expired identifiers are not granted to other individuals. Supplier shall monitor repeated attempts to gain access to the information system using an invalid credential.
Service provider shall ensure separation of Max Life's confidential information from any other customer's or Vendor's own applications and information either by using physically separate servers or alternatively by using logical access controls.

Application security
Supplier shall adopt security requirements for the purchase, use, or development of information systems, including for application services delivered as part of the Services. Supplier shall have policies for secure development, system engineering, and support that reflect industry best-practices. Supplier shall manage the security of the development process and ensure secure coding practices are implemented and followed, including appropriate cryptographic controls, protections against malicious code, and peer review process. Supplier shall conduct appropriate tests for system security, including penetration tests, at least once every year and after any significant modifications to application source code or configuration. Supplier shall use anonymized or obfuscated data in non-production environments. Supplier shall supervise and monitor the activity of outsourced system development.

Logging and monitoring
Supplier must maintain logs from information systems, network devices and applications for a minimum period of 180 days. Logs should be sufficiently detailed in order to assist in the identification of the source of an issue and enable a sequence of events to be recreated. Logs must capture system and network security event information, alerts, failures, events and errors. Logs must also include administrator and operator activity and data recovery events. Integrity of logs files must be maintained and protected from tampering by restricting access to systems that store log information.

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more