--- owasp.txt	2009-01-16 10:36:31.343750000 -0500
+++ sans.txt	2009-01-16 10:36:32.031250000 -0500
@@ -1,62 +1,62 @@
-WARNING: THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. OWASP STRONGLY RECOMMENDS THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.	
+DISCLAIMER THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT
 
-5. PERSONNEL AND ORGANIZATION
-(a) Security Architect Developer will assign responsibility for security to a single senior technical resource, to be known as the project Security Architect. The Security Architect will certify the security of each deliverable.
+Personnel
+The Vendor shall identify in writing the person who will be responsible for overall security of the application development, management, and update process throughout the Contract period. The person identified shall be a single senior technical security specialist, to be known as the project Security Lead. The Security Lead shall certify in writing the security of each deliverable.
 
 Security Training
-Developer will be responsible for verifying that all members of the developer team have been trained in secure programming techniques.
+The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.
 
-Trustworthy Developers
-Developer agrees to perform appropriate background investigation of all development team members.
+Background Checks of Developers
+Vendor shall perform appropriate background investigation of all development team members and shall certify that all individuals who will be involved in this Contract and the software development process have cleared the background investigation.
 
-Vulnerabilities Are Expected
-Both Client and Developer will strive to identify vulnerabilities as early as possible in the lifecycle.
-Developer and Client agree to work together to understand and document the risks facing the application. This effort should identify the key risks to the important assets and functions provided by the application. Each of the topics listed in the requirements section should be considered.	Developer agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.	Developer agrees to provide documentation that clearly explains the design for achieving each of the security requirements.	Developer agrees to provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.
+Vulnerabilities, Risks and Threats
+The Vendor shall agree in writing that he will strive to identify vulnerabilities, risks and threats as early as possible at any time during the software lifecycle.
+The Vendor shall identify the key risks to the important assets and functions provided by the application. The Vendor shall conduct an analysis of the attached 25 most common programming errors and document in writing that they have been mitigated.	The Vendor shall provide secure configuration guidelines in writing to the Purchaser that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.	The Vendor shall provide written documentation to the Purchaser that clearly explains the design for achieving each of the security requirements.	The Vendor shall provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for test.
 
-6. DEVELOPMENT ENVIRONMENT
+II. DEVELOPMENT ENVIRONMENT
 
 (a) Secure Coding
-Developer shall disclose what tools are used in the software development environment to encourage secure coding.
+The Vendor shall disclose what tools are used in the software development environment to encourage secure coding.
 
 (b) Configuration Management
-Developer shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files.
+The Vendor shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files.
 
 (c) Distribution
-Developer shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client.
+The Vendor shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client.
 
-7. LIBRARIES, FRAMEWORKS, AND PRODUCTS
 
-(a) Disclosure
-Developer shall disclose all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source.
 
-(b) Evaluation
-Developer shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement.
+(d) Disclosure
+The Vendor shall document in writing to the Purchaser all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source.
 
+(e) Evaluation
+The Vendor shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement
 
+III. TESTING
 
-(e) Security Analysis and Testing
-Developer agrees to provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this activity should be considered and detailed in the plan. Developer will execute the security test plan and provide the test results to Client.
+(a) General
+The Vendor shall provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this test process shall be detailed in the plan. The vendor shall implement the security test plan and provide the test results to Client in writing.
 
-9. SECURITY ISSUE MANAGEMENT
 
-(a) Identification
-Developer will track all security issues uncovered during the entire lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue will be evaluated, documented, and reported to Client as soon as possible after discovery.
 
-10. ASSURANCE
+Tracking Security Issues
+The Vendor shall track all security issues uncovered during the entire software lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue shall be evaluated, documented, and reported to Purchaser as soon as possible after discovery
 
-(a) Assurance
-Developer will provide a “certification package” consisting of the security documentation created throughout the development process. The package should establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.
+IV. DELIVERY OF THE SECURE APPLICATION
 
-(b) Self-Certification
-The Security Architect will certify that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery.
 
-(c) No Malicious Code
+The Vendor shall provide a “certification package” consisting of the security documentation created throughout the development process. The package shall establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.
+
+Self-Certification
+The Security Lead shall certify to the purchaser in writing that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery.
+
+No Malicious Code
 Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.
 
-11. SECURITY ACCEPTANCE AND MAINTENANCE
+V. SECURITY ACCEPTANCE AND MAINTENANCE
 
-(a) Acceptance
-The software shall not be considered accepted until the certification package is complete and all security issues have been resolved.
+Acceptance
+The software shall not be considered accepted until the Vendor certification package is complete and all security issues have been resolved.
 
-(b) Investigating Security Issues
-After acceptance, if security issues are discovered or reasonably suspected, Developer shall assist Client in performing an investigation to determine the nature of the issue.
\ No newline at end of file
+Investigating Security Issues
+After acceptance, if security issues are discovered or reasonably suspected, Vendor shall assist Purchaser in performing an investigation to determine the nature of the issue
\ No newline at end of file