Common use of Software Deliverables Clause in Contracts

Software Deliverables. To the extent that Supplier is providing or using deployed software, whether in any JPMC’s, Supplier’s or any other test or production environment, or providing any software development services for JPMC, Supplier shall demonstrate the maturity of controls in its development process. In conjunction with delivery of the software, Supplier agrees to complete a vBSIMM assessment and provide to JPMC applicable documentation and/or artifacts which substantiate that the following software development controls are in place for the scope of the Deliverables being provided to JPMC hereunder: (i) security requirements documented during the requirements phase of the software development life cycle; (ii) architectural framework(s) designed for resiliency and security; (iii) static code analysis during development (secure code review of the entire code base based on, at a minimum, the Open Web Application Security Project (OWASP) Top 10 and SysAdmin, Audit, Networking, and Security Institute (SANS) Top 25 software security risks or comparable replacement); (iv) dynamic scanning of web-facing applications and penetration testing of internal applications, using industry standard testing methodologies during the build process or quality assurance process; (v) open source code used in Supplier-provided applications must be appropriately licensed, inventoried and evaluated for security defects, and (vi) security vulnerability management. If Supplier is unable to substantiate that the software is free of material security defects (i.e., no critical or high risk defects) through the above assessment, Supplier will conduct a software vulnerability scan (using an industry standard tool, e.g., Veracode), or submit to application scanning from a JPMC-approved vendor, and (x) share the detailed results of that scan with JPMC; (y) to the extent that scan identifies any critical or high risk vulnerabilities, Suppler will remediate those vulnerabilities before implementation of the software into production (whether the software is hosted by JPMC, Supplier or a third party on behalf of either); and (z) develop and implement remediation plan(s) to address any other vulnerabilities to JPMC’s reasonable satisfaction (such plan to be provided to JPMC) with the remediation occurring as soon as reasonably practicable, not to exceed six months of the discovery of such vulnerabilities. If Supplier provides an externally facing application as part of the Services (“Externally Facing Application”), at no additional cost to JPMC, Supplier will provide a production like instance of the Externally Facing Application for JPMC software vulnerability scanning purposes. Supplier will ensure the instance is up to date within 30 days of written communication from JPMC of the pending scanning activities. To the extent that scan identifies any critical or high risk vulnerabilities, Supplier will remediate those vulnerabilities within five days (whether the Externally Facing Application is hosted by Supplier or a third party on behalf of Supplier). Further, Supplier will develop and implement remediation plan(s) to address any other vulnerabilities to JPMC’s reasonable satisfaction (such plan to be provided to JPMC) with the remediation completed as soon as reasonably practicable, not to exceed six months of the discovery of such vulnerabilities. Nothing in this Section 3.1(b) limits any rights of JPMC to conduct any audits, assessments, scans or the like pursuant to this Agreement or the applicable Schedule. If Supplier does not respond timely to the above obligations, as determined by JPMC, JPMC may perform such audits, assessments, scans and the like, and Supplier will promptly reimburse JPMC for all reasonable costs associated with its efforts.