Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Talks Secure Coding Practices, Standards at Security Development Conference

Microsoft’s coding practices and methodology complies with an international standard for developing secure software, the company said Tuesday.

Microsoft’s coding practices and methodology complies with an international standard for developing secure software, the company said Tuesday.

Microsoft’s security development lifecycle meets or exceeds requirements of ISO 27034-1, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing group, said at the company’s Security Development Conference on Tuesday. This means organizations who have adopted the SDL are likely to be compliant with ISO-27034-1, Tim Rains, director of Trustworthy Computing, told SecurityWeek in an email.

Microsoft SDLCMicrosoft has been using SDL for its own products since 2004 and made the methodology available for other organizations starting in 2007. The ISO/IEC 27034-1 offers a “common validation language” for security development practices and offers organizations a clear and simple outline for adopting a security development framework, Rains said.

“The industry has an obligation to develop a culture where security development is not only valued, but demanded. Organizations today simply cannot afford to conduct business online without prioritizing security,” Rains said.

The standard even has an addendum, Annex A, which identifies Microsoft SDL as a template for organizations to use to conform to the standard, Rains said.

Having a formal software development methodology doesn’t automatically mean the software will have no vulnerabilities, WhiteHat Security’s Jeremiah Grossman told SecurityWeek earlier this month after releasing its software security report. But following a methodology and best practices mean some of the issues never make it into the software and software is much more secure from the outset.

The ISO 27034-1, from the International Organization for Standardization and International Electrotechnical Commission, is the first such worldwide standard to focus on the processes and frameworks organizations need to build a comprehensive software security program, Steve Lipner, partner director of Software Security at Trustworthy Computing, wrote on the TWC blog Tuesday.

While many developers understand the importance of security development, the vast majority of organizations have not adopted formal security development practices, Rains said. In a recent comScore study of over 2,200 IT professionals and 490 developers, only 37 percent of IT professionals said their organizations built products with security in mind. About 61 percent of developers said they were not taking advantage of defense mitigation technologies such as Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), and data execution prevention (DEP).

Developers may not be using ASLR, SEHOP, DEP, and other technologies because management may not be convinced the cost of using them is worthwhile, Lipner said. Being ISO-compliant will help gain management approval, Lipner said.

Advertisement. Scroll to continue reading.

Even though these technologies are freely available and are simple additions to existing practices, “only a minority of developers are leveraging them,” Lipner said. Microsoft offers SDL for Agile, the Threat Modeling tool, and the Attack Surface Analyzer, to help automate and enhance the SDL, become more efficient, and ease implementation challenges.

Developing secure software actually translates to cost savings, Lipner said, citing an Aberdeen Group study showing that companies with an SDL-like strategy realized a 4.0-times return on their annual application security investments. Forrester has also said that organizations who have adopted the SDL tend to report better ROI than average.

With increasing demand for new features and fast development times, it is too easy to have security take the back seat “to the commercial pressures of being first to market, or to stand out with amazing features,” Lipner said. Lipner also mentioned the new security engineering training modules launched by SAFECode on Tuesday.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.