Software Security Addendum

Thank you for your interest in Ounce Labs' Software Assurance Security Addendum. This proposed contract language, developed with one of the nation's leading law firms, helps organizations outsourcing development ensure source code security in the delivered software.

"This contract language and the associated audits provide the structure for ensuring that security requirements are met and validated before acceptance."
Dave Cullinane, president of the ISSA
(Information Systems Security Association)

The Addendum's key elements include:

1. Warranty of secure software, with specific language about verifying the absence of vulnerabilities that could pose a danger to the customer's data or network.
2. The "teeth" in the agreement, specifying that the customer has no obligation to pay for or accept any Software that is Non-Secure.
3. Required software security audit, using automated source code analysis software, manual analysis, or some combination of both security auditing techniques
4. Sample schedules of vulnerabilities considered unacceptable for the software security audit

We encourage you to download the software assurance contract language and the sample security vulnerability schedules and modify it for your contracts:

• If you're outsourcing: Use this language in your contracts to ensure your outsourced code is developed with security from the ground up, and validate it prior to acceptance.
• If you're an outsourced provider: Make software security a competitive advantage. Document your best practices, and prove that they're implemented.

About Ounce Labs, Inc.

Ounce Labs' solutions enable organizations to identify, prioritize and eliminate business risk to the enterprise caused by software security vulnerabilities. With Ounce Labs, organizations strengthen application security, protect confidential information and verify compliance with both internal policies and industry mandates such as PCI, FISMA, HIPAA and others.

Ounce Labs' software analyzes application source code to provide the most complete and accurate analysis of application vulnerabilities and their relative priorities, enabling business users and IT professionals to optimize their resources on resolving the most critical issues.

Unique in its ability to scale across an organization's entire portfolio of applications, Ounce is used enterprise-wide by many of the world's most security-conscious organizations, including AT&T, EDS, IBM, Intel, Lockheed Martin, MFS, the U.S. Air Force, the U.S. Government Accountability Office, Unisys and VeriSign.

Led by senior executives with deep enterprise software and security expertise, Ounce Labs is headquartered in Waltham, Massachusetts, with regional offices throughout the U.S. For more information, please visit www.ouncelabs.com.

Once you have completed your download, please use your Ounce Labs ID to access any of our other in-depth security publications in our Library.

back to top