Vendor Contracts

I gave a presentation at the Melbourne OWASP chapter recently and at this presentation, I shared some lessons learned on vendor contracts. More specifically, when dealing with vendors that are responsible for application development or delivery of a solution or product:

1. If you get engaged early enough on a project and get to review any vendor contracts that come your way, two big clauses you need to include -

1. adherence to your company information security policy (and other policies, statutes, etc).
   
2. "right to audit" clause to ensure that you get to perform the appropriate penetration testing or security audit.
   

Without these you have no assurance any security will be built into your solution, beyond what the vendor considers to be "secure".

2. Don't start a project without a firm contract in place. By contract I mean a legally binding agreement above and beyond a statement of work. Statements of Work are fine for short term engagements, particularly if they are followed by a consultancy agreement or similar document. They are insufficient for large scale projects.

- J.