- Who in the vendor organization is responsible for information security?
- What security qualifications does the vendor’s staff have?
- What steps do they take to ensure their products do not include vulnerabilities in them, specifically the OWASP top 10?
- What security standard, such as ISO 27001:2005, is the vendor certified against?
- You could look into including the entire or parts of the OWASP Secure Software Contract Annex and this earlier Selecting a Secure Development Partner blog post of mine.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute's weekly SANS NewsBites.