+O: Add something about VAST managing vendors

[vanderaj]

Public site still https://wiki.mobilehealth.va.gov/display/OISSWA/OIS+Software+Assurance, see now e.g. MS TMT tech notes, design review SOP, etc. Maybe just a sub-bullet on the organizational page: Start your appsec program. If you're managing vendors implement a VAST program. Maybe a callout then with a definition about VAST. Mike Boberski

[Neil-Smithline]

FYI @boberski

[Boberski]

See also https://michaelboberski.tumblr.com/post/160316825813/a-suggested-more-formal-definition-of-vendor

[vanderaj]

Thanks @Boberski - I've incorporated your suggested change.

If you have further feedback, please use the QA item I'll open up in a few minutes for this chapter.

[vanderaj]

also, we miss you on the ASVS project. We are going to do a huge QA / clean up of the ASVS and release 3.1 to coincide with the OWASP Top 10 release, so if you want to help out, please let us know.