Risk Assessment: EULAs and contracts

One of the often neglected parts of a security program is the contracts that your organization enters into with vendors. Often organizations accept the standard boilerplate rather than negotiating a more favorable position, or accept a EULA that contains conditions that the organization may regret. This is a great place to apply some of the tools and tactics that you apply to other security projects - checklists, risk assessment, and standards.

One tactic I like to recommend is to work with your legal representation to create a checklist to review EULAs and other agreements - being able to filter out those with issues that are easily found up front can save significant amounts of time - your lawyer's time is often expensive, and doing a first round check can save you money and pain in the event the contract becomes an issue. The EFF provides a good user level guide to dangerous EULA terms which can be a good starting point. Once you have a checklist, you can pull risky or questionable clauses out.

When you develop the checklist, make sure to separate your categories - terms that are completely unacceptable should be noted, and terms that are questionable, or that you prefer alternate language for should be marked as such. If a clause that your company requires isn't present, that should be accounted for as well.

While a checklist isn't a substitute for proper legal review, it can help weed out some of the worst EULAs and contracts.

Along those lines, check out the OWASP Secure Software Contract Annex. Organizations that hire third party developers should have a well understood contract, and projects like this help smaller organizations with something they might not have the resources or in house expertise to handle.