In the last few years, there has been a rise in the number of security vulnerabilities in software and applications which has ultimately led to huge losses in terms of money, trust and morale of the people using the software. Software development companies are always on the edge of their seats to get the software out of production and onto store shelves to stay on top of the game and the market. Vendors aim to have their software developed fast, cheap and qualitatively excellent. But, software which is fast and cheap and won’t have desired quality; software which is qualitatively excellent and needs to be cheap cannot be delivered fast and the one that is fast and of desired quality cannot be cheap.
Software development contracts aim to address all three traits - fast, cheap and quality at the same time. Here when we say quality, we intend to mean that the software has been well tested in terms of functionality, usability and security. Up until now there were very few companies that actually went for a security provision in their contract which implied the company developing the software to have the application or software security tested as well. Based on the provisions made, it was either the developers or the buyer of the software that would bear the ultimate responsibility of the software in case there was a security breach that was reported.
Different companies adopt different course of action in which they want to address the security provision in the software development contract. One may argue that it must the developers’ responsibility to make sure that they software they are putting out and submitting to the original buyer has been tested for security. But, developers have been asked to deliver a product that is complete, does what it is supposed to do and is as per the original design. Having complied to all these, developers would be least bothered of the fact that beyond the natural course of function and operation, the software is vulnerable to attacks which may lead to loss of data or privacy of its customers or both.
On the other hand buyers of the software, who have ordered for the software to be developed, would want to blame the vulnerability onto the developers and come out clean themselves. With design of the software being provided by them, they should be held responsible if the design itself didn’t contain the requisite security provisions that could be put in place by developers at a later stage.
Another facet of this whole discussion is that even though the contract does have the security provision and both parties have adhered to their part of responsibility in making the software secure, there are new methods of attacks that are coming up. With this, even though the software was security initially, new attack vectors may render the software insecure. In this case, what should be the approach? Will the vendor of the software take the blame or will it be the developers who are responsible? Common perception says that as the developers have done their part and delivered secure software, it is the vendor’s responsibility to make sure that the software is resistant to attacks even from new attack vectors. This can only be done by subjecting the software to regular testing which definitely falls under the purview of the vendor.
Something's got to give - fast, cheap, high quality, and secure. Have you seen security provisions in software contracts?