Many thanks dynamik for your input and advice!

Well my management does not want to go legal on this... dont know why, but a big NO! So now I am looking to get some standard clauses to be included in the SLA that will bind the application developers to release security patches/upgrades/updates for the period of support contract (I thought its by default like this  ). Any thing that I ask them to do they will say "its a new request and you need to route it via commercials" (for example I asked them to jail FTP users into their home directories---errr this is a new requirement ... and I am like what the  ).. Anyhow whats done is done! For the future I need some explicit clauses that will force them to patch/reconfigure a flawed software/OS/Databases etc. Why explicit? Because they are white collar bandits and my management is ------- just like others in the big world... so I need some textual statements that will literally force a bad system solution vendors to fix an error as part of their maintenance agreement that leads to a fraud or a security incident! By the way am I right in demanding this protection ??

Sorry for being away for long---had been busy since my last post!!
So the scenario is; Company A (that’s me now ) bought a solution from Company B (company B a big giant of their market), the solution was bought a few years back when no one thought of security seriously (at least now few are thinking of it seriously ). The solution proved to be falling short (infact falling a long way -- short) of any security consideration in it (can you believe the vendor did not enable auditing and logging at the DB level ). And as expected a huge fraud waved the company A on the business dance floor. Company B has been a contractor for Support & Maintenance activities for the solution (a level 2 support contact). After the fraud, company B proposed a security solution (System hardening, application and DB level auditing and putting in a door to shut further frauds through that same channel) for $$$$$$, Now the question; “Can I include clauses in my contract or SLA with company B to force them to implement security controls in the solution? If Yes then how can I word them? If NO!!! Well how can I go about these situations ? Share your thoughts!!

Hello all! I did my search on google (did not put all my heart in it though) to find a suitable answer to the question: What informatoin security related points or clauses shall we include in an SLA?. I started by adding a right to conduct a vlnerability assessment on the target systems at least annually or whenever there is a major change in the solution.
Second to test applicable security patches on the underlying system components (including OS, other software, Databases) as recommended by the vendor.


What else can be added???

Well I too did my CEH back when it was V5. But my question is How many of you will attempt this cert provided the current commercial settings? And in my opinion the current cost is not justifiable. Most disturbing part is the way this hike is brought about (doubling the price what a revolutionary world we are living in today!!! )? Its the same old CEH with few addition to its course contents (well every cert adds new material to its existing course contents continuously and they do not suddenly go and double the price). Its the price hike that disturbs me. And in my opinion they are simply acting out of their greed here!!! but the good thing I have seen in my part of the world is ... this approach has backfired actually for the EC-Council.
 

So it seems nobody wants to become a CEH anymore!!! This is expected and trust me I have seen (and actually advised) many not to go for this certification as the cost does not justify the value it adds to one's career.

Good luck to you all.

Hmmmm, so in your opinion EC-Council has simply adjusted the price of their cert as per the market trends!!! Well I tend to disagree.

Current price is doubled + that non-refundable for self study... I really doubt that doubling the price without any significant value addition is a market trend! But still even if we say it is ... the question remains, "Will you attempt it with this commercial setting or would you prefer any other cert in the market to spend money on?"

I still say a big NO to CEH, I wonder how many of us out there would say YES

I don't want to say anything bad about the certification itself (I dont recommend to go after it either), but I can't get to the bottom of this big price raise in fee for the certificaiton. And the excuse that this much fee will thwart non-serious juniors from attempting it does not make any sense, they could have just added extra $100 on top of the old price to do this. But what extra/revolutionary change this certification brings or can bring in one's information security career? I cannot figure out the justification for this move (which in my opinion is just aimed at looting and then forcing candidates to pay a tip of $100 on top     ). How can they justify this raise? And please don't come up with something "It is their certification and they can do whatever they want", although this can be an answer but does not help in dissolving the impression that this is purely out of their greed and has nothing to do with the quality or value of this certification. Almost all of us do not have any problems with the fee of SANS GPEN or OSCP as we know the quality and value of those certs ... but CEH!!! Man com'on! I dont know why but I really want EC-Council to come out on this with some good argument!

Will you attempt this cert even if your employer pays the bill for you?

(My answer is a big NO, I don't want my employer's bucks be wasted in the name of a cert like CEH, but if its is priced at around $300 well then may be I will go for this    ).

So most of us would not go for it from our own pocket and would wait for the budget to be allocated and made avaialable out of the employer's pocket!!! But the question is "Is it really worth it?" is this certification a big forward knowledge gear? or a career bolstering piece? or does it really help you conduct practical pentesting? Well even if the answer is YES for some of us the big negativity that spirals out is this ... "they just woke up in the morning and saw owww we have V7 well this is a big milestone ... so lets grab some cash ... why not just double the fee ... wait ... not just double it ... why they opt for self study when we are already selling it ... hmmm that is bad ... so all you self stud(y)iers, you bloody hardworking (eh) security pros you need to shed extra $100 on top... and in the end all you get is "C|EH" !!!

Can you see it? No? Just roll a little into recent past and see what was the price? I would say a bad commercial move... and the cert would die under its own weight. Why not they just put "Only For DoD aspirants" tag?? 

Bad move, I would say!!! EC Council has hikded CEH fee to $500, and its even worst for those who opt for self study (they are punished for not paying $$$$ for the official training, I guess) as they will have to pay a NON-REFUNDABLE fee of $100 in the name of application processing and if they accept your application then you may go to buy an exam voucher for $500 and if they dont accept you application then you wont get any refunds.

With this commercial setting, will you go and attempt C|EH?