[Owasp-singapore] Fwd: Re: [security-77] Vendor asking customers to be less secure

Wong Onn Chee ocwong at usa.net
Tue Mar 9 22:46:45 EST 2010


FYI

-------- Original Message --------
Subject: 	Re: [security-77] Vendor asking customers to be less secure
Date: 	Wed, 10 Mar 2010 11:45:58 +0800
From: 	Wong Onn Chee <ocwong at usa.net>
To: 	security-77 at meetup.com, Rick Zhong <rick.zhong at gmail.com>



Hi Rick,

Good advice.


Hi folks,

My $0.02 as follow:

1) Remember my push for dual browsers environment?
Having a primary option and a secondary option gives an organisation the
flexibility and choice.
Having a secondary choice also gives the organisation a stick to wave in
front of the primary vendor if the primary vendor ever acts against the
interest of the organisation.

Any organisation who has the freedom of choice is a very powerful, agile
and effective organisation.

2) In the event that it is not possible to have 2 vendors, one must be
prudent in selecting the sole primary vendor.
Many a times, organisations forget to add security requirements into
their procurement contracts.

I advise the following conditions to be added to all your procurement
contracts:

1) The selected enterprise vendor must update their solutions with *X*
weeks to support the new patches or upgrades of the supporting
applications after their official release dates.

2) These supporting applications include but not limited to:
a. OS patches
b. Application frameworks - .Net framework, Java Runtime/JDK, PHP framework
c. Richmedia plugins - Adobe Flash/Silverlight
d. Adobe Reader
e. Office suites - MS Office/OpenOffice
f. Browsers - IE/Firefox/Chrome

3) The vendor is liable for liquidated damages of Y% of the annual
maintenance amount for every working day of delay beyond the X weeks
deadline, in providing support of the new patches or upgrades in the
supporting applications.


If the vendor refuses to agree to the above conditions, do not sign with
them.
Choose a vendor who is willing to commit to upgrading their solutions to
ensure good security.

So now you have read this email, you no longer can use the defense of
ignorance!
You have now fallen in the trap of the knowledgeable. ;-)
Know your rights and exercise your rights!


Happy sharing and have a safe 2010!

Cheers
Onn Chee



On 03/10/2010 12:16 AM, Rick Zhong wrote:
> In many cases, going through the business unit who owns the
> relationship with these vendors will be a more effective (or the only)
> way to give a kick to these vendors. Btw there are some monopolized
> vendors in the market who we need them more than they need us. Those
> are the real headaches.
>  
>
>  
> On Tue, Mar 9, 2010 at 11:47 AM, anton_kg <anton.bugs at gmail.com
> <mailto:anton.bugs at gmail.com>> wrote:
>
>     Such vendors just need an a$$kick:
>     PDF was officially released as an open standard, make sure your
>     software can generate it accordingly so your valuable customers could
>     open it in any PDF viewer, in any OS.
>
>     On 9 March 2010 11:13, Wong Onn Chee <ocwong at usa.net
>     <mailto:ocwong at usa.net>> wrote:
>     > Fiserv to Banks: Stay on Outdated Adobe Reader
>     >
>     > http://www.databreaches.net/?p=10550
>     >
>     >
>     > A poser to everyone out there.
>     >
>     > What will you do when your vendor sends you this advisory?
>     >
>     > I will like to conduct a poll of what your reactions will be.
>     >
>     >
>     > Cheers
>     > Onn Chee
>     >
>     >
>     >
>     >
>     > --
>     > Please Note: If you hit "REPLY", your message will be sent to
>     everyone on
>     > this mailing list (security-77 at meetup.com
>     <mailto:security-77 at meetup.com>)
>     > This message was sent by Wong Onn Chee (ocwong at usa.net
>     <mailto:ocwong at usa.net>) from The Singapore
>     > Security Meetup Group.
>     > To learn more about Wong Onn Chee, visit his/her member profile
>     > To unsubscribe or to update your mailing list settings, click here
>     >
>     > Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
>     > support at meetup.com <mailto:support at meetup.com>
>
>
>
>     --
>     Please Note: If you hit "REPLY", your message will be sent to
>     everyone on this mailing list (security-77 at meetup.com
>     <mailto:security-77 at meetup.com>)
>     http://www.meetup.com/SGSecurityMG/
>     This message was sent by anton_kg (anton.bugs at gmail.com
>     <mailto:anton.bugs at gmail.com>) from The Singapore Security Meetup
>     Group.
>     To learn more about anton_kg, visit his/her member profile:
>     http://www.meetup.com/SGSecurityMG/members/4500727/
>     To unsubscribe or to update your mailing list settings, click
>     here: http://www.meetup.com/SGSecurityMG/settings/
>     Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
>     support at meetup.com <mailto:support at meetup.com>
>
>
>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Rick Zhong (rick.zhong at gmail.com) from The
> Singapore Security Meetup Group <http://www.meetup.com/SGSecurityMG/>.
> To learn more about Rick Zhong, visit his/her member profile
> <http://www.meetup.com/SGSecurityMG/members/5637126/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/SGSecurityMG/settings/>
>
> Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
> support at meetup.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20100310/f442a698/attachment.html 


More information about the Owasp-singapore mailing list