Microsoft’s coding practices and methodology complies with an international standard for developing secure software, the company said Tuesday.
Microsoft’s security development lifecycle meets or exceeds requirements of ISO 27034-1, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing group, said at the company’s Security Development Conference on Tuesday. This means organizations who have adopted the SDL are likely to be compliant with ISO-27034-1, Tim Rains, director of Trustworthy Computing, told SecurityWeek in an email.
Microsoft has been using SDL for its own products since 2004 and made the methodology available for other organizations starting in 2007. The ISO/IEC 27034-1 offers a “common validation language” for security development practices and offers organizations a clear and simple outline for adopting a security development framework, Rains said.
“The industry has an obligation to develop a culture where security development is not only valued, but demanded. Organizations today simply cannot afford to conduct business online without prioritizing security,” Rains said.
The standard even has an addendum, Annex A, which identifies Microsoft SDL as a template for organizations to use to conform to the standard, Rains said.
Having a formal software development methodology doesn’t automatically mean the software will have no vulnerabilities, WhiteHat Security’s Jeremiah Grossman told SecurityWeek earlier this month after releasing its software security report. But following a methodology and best practices mean some of the issues never make it into the software and software is much more secure from the outset.
The ISO 27034-1, from the International Organization for Standardization and International Electrotechnical Commission, is the first such worldwide standard to focus on the processes and frameworks organizations need to build a comprehensive software security program, Steve Lipner, partner director of Software Security at Trustworthy Computing, wrote on the TWC blog Tuesday.
While many developers understand the importance of security development, the vast majority of organizations have not adopted formal security development practices, Rains said. In a recent comScore study of over 2,200 IT professionals and 490 developers, only 37 percent of IT professionals said their organizations built products with security in mind. About 61 percent of developers said they were not taking advantage of defense mitigation technologies such as Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), and data execution prevention (DEP).
Developers may not be using ASLR, SEHOP, DEP, and other technologies because management may not be convinced the cost of using them is worthwhile, Lipner said. Being ISO-compliant will help gain management approval, Lipner said.
Even though these technologies are freely available and are simple additions to existing practices, “only a minority of developers are leveraging them,” Lipner said. Microsoft offers SDL for Agile, the Threat Modeling tool, and the Attack Surface Analyzer, to help automate and enhance the SDL, become more efficient, and ease implementation challenges.
Developing secure software actually translates to cost savings, Lipner said, citing an Aberdeen Group study showing that companies with an SDL-like strategy realized a 4.0-times return on their annual application security investments. Forrester has also said that organizations who have adopted the SDL tend to report better ROI than average.
With increasing demand for new features and fast development times, it is too easy to have security take the back seat “to the commercial pressures of being first to market, or to stand out with amazing features,” Lipner said. Lipner also mentioned the new security engineering training modules launched by SAFECode on Tuesday.
