For many business owners, it can be difficult to find software available on the market that meets every single one of their needs. Commercial software packages are made to satisfy the highest number of potential customers, but any needs outside of the norm may go unmet by commercial options. To meet their software requirements, business owners may need to hire a third-party developer to create an application from scratch. Developing custom software can be a months- or years-long process, and when it has been completed, leaders often reasonably assume that the software will be secure upon installation. Unfortunately, application security is not always the developer’s responsibility. In fact, more of the responsibility lies on the customer. Luckily, there is one simple step that the customer can do to ensure that security holes are closed before their third-party developer finalizes the product: they can get their developer to sign a software contract addendum.
What is a software contract addendum?
A software contract addendum is supplemental to the initial development contract. It outlines the parties’ rights and responsibilities related to the security of the software that is being developed or delivered. Once signed, it can be used to help both parties understand the following:
- Each other’s needs and limitations in providing or receiving a secure software package;
- The true cost of securing the software;
- What testing will be performed before deployment of the final application;
- Whose responsibility it will be if a security hole is discovered after delivery;
- What support services will be offered in the future; and,
- What risks remain, and whose responsibilities those risks are.
Most standard software development contracts are absent of this information, which not only muddies the expectations for both parties, but also makes any future litigation more costly and time consuming. A contract addendum like this can help ensure that the software is “secure from the start” (SFTS).
How can I addend future software contracts?
Business leaders should first determine what clauses they would like to see in a perfect contract. They can ask themselves some of the following questions:
- What sort of breaches should be avoided given the data we control?
- Do I want an external professional to review the security code before it is launched?
- How much security documentation will I find acceptable from my developers?
They should also consider the developers themselves. In doing so, they can see where their shortcomings lie, which can help them draft a better addendum.
- Are these developers adequately and regularly trained in security?
- Do they test the security of the application before signing off on it?
- What risks do they assume if a security breach occurs months from now?
Business managers should strongly consider hiring an outside IT consultant to help draft a security addendum to their future contracts. Because each contract is different, and because there are no regulations that control the software contracts themselves, a qualified professional in this area can be a significant asset. Many consultants rely on the security framework that was created by the Open Web Application Security Project (OWASP) Foundation to help them draft their clients’ addenda. OWASP is a not-for-profit organization that creates open-source tools to help their users create and advocate for secure software. In addition to having a thorough understanding of this framework, a good consultant will have the experience necessary to know what clauses to include in the contract, and will know how to negotiate on behalf of their client when and if the developer pushes back.
If you think that your current third-party software development contract is lacking important information about the application’s security, get in contact with us. GBQ has an IT consulting services department that can advise you in this area. Not only can we draft the addendum itself, but we can begin negotiations directly with your developer on your behalf. If you’d like even more oversight of your IT security, we also offer fractional CISO services to our clients. We can work closely with your team to develop information security strategies, cyber security policies and oversight procedures for your organization. For additional information please contact us directly. We look forward to speaking with you soon.