It's the time of year for New resolutions, so I was thinking about what security people could do differently to help make 2008 better than 2007 for software security.
One thing I came up with. Speak to your purchasing people (if you've got some) or anyone else who approves software purchases in your company and get a criteria added to your purchasing policy that requires software vendors to explain how they ensure the security of the software they're selling you.
After all, software companies are selling you products to help you run your business, and these days if they're selling you vulnerable products it's quite likely to have a negative effect on your company, either through security breaches which exploit the vulnerabilities or through the time you have to spend patching the software they provide.
Now I'm not suggesting that any software you buy will be perfect, but if you make software security a criteria in whether you purchase "package A" or "package B" you give the vendors an incentive to improve the security of their software.
Of course there's the problem of how you actually evaluate their claims... At one level there's the obvious case of listening to what they tell you and asking some searching questions like
"how many vulnerabilities has your product had in the last year" and "what's your policy towards vulnerability researchers and disclosure". Beware of companies who say that their sofware has no vulnerabilities. It's very likely that their either lying or in denial!
Above that another option would be getting your suppliers to submit their software for an independent 3rd party assessment (like the ones Veracode supply). This probably works best for large companies buying critical applications, but I think it's a good idea, in principle anyway, as it helps validate a software suppliers claims of security.
