I'm curious how many of you have incorporated a Penetration Testing & Evaluation section in your organization's RFP documents. The reason I ask is because the CIO of our group has ordered revamping of all RFP documents to include a section on Penetration Testing & Evaluation as a requirement for purchase *AND* a provision that states the vendor must fix any *security* issues found after purchase even if the software is out of the normal or extended maintenance period. Basically, it's to force the software vendor to develop a patch for anything that we may miss during our "beat the crap out of the box party".

Anyway, yours truly will be faced with this task and although I have my own views as to how this should look, any thoughts and/or examples would be helpful for insight into what the industry is doing.