Microsoft declares conformance with ISO 27034-1

Microsoft has declared conformance with ISO 27034-1, the first part of an international standard for secure software development

Microsoft has declared conformance with ISO 27034-1, the first part of a relatively new international standard for secure software development.

The first part of the standard provides an overview of the concepts of application security, and will eventually be backed up by five other parts that currently exist only as working drafts.

“This standard provides clear requirements, benchmarks and examples of secure development processes,” said Scott Charney (pictured), corporate vice-president of Microsoft Trustworthy Computing (TwC).

“It provides software buyers and developers a way to talk about secure development processes in a structured way,” he told attendees of the Security Development Conference 2013 in San Francisco.

The standard provides a common validation language, offers a clear and simple outline for adopting a security development framework and serves as a competitive differentiator in the market, he said.

Committed to secure software development

ISO 27034 also gives businesses a way to identify suppliers that are committed to secure development practices and a way to demand that commitment by asking for conformance to the standard.

Charney believes the standard will help promote international harmonisation of secure development requirements, avoid divergent schemes and promote public-private partnerships for improving security.

“We encourage others in the software industry to conform and software users to ask for conformance as part of their procurement processes,” he said.

In the light of increased concern about supply chain security, said Charney, the standard provides a way to measure and improve security in a way that is scalable and repeatable.

From conformance to certification

While no third-party certification is available yet, by declaring conformance, Microsoft hopes to set an example to the rest of the software industry, said Steve Lipner, partner director, security software, at TwC.

“We want to encourage the industry to look at the standard and think about declaring conformance, and certification will come in time,” he told Computer Weekly.

Microsoft’s objective, he said, is to kick off the process and build momentum around the standard, which is only around 18 months old – relatively young in terms of ISO standards.

“Any company that is already doing secure software development and keeping track of its processes will not find it a big leap to conform to ISO 27034,” he said.

Microsoft believes that standardisation for secure development can help the C-suite and IT business decision-makers better understand the benefits of adopting a new process.

“We are excited about ISO 27034, and that is why Microsoft has declared conformance to the standard,” said Lipner.

Any company that is already doing secure software development and keeping track of its processes will not find it a big leap to conform to ISO 27034

Steve Lipner, Microsoft TwC

Secure coding across all software categories

With reference to the Common Criteria for Information Technology Security Evaluation (ISO 15408), Lipner said ISO 27034 applies to all software, not just security software.

“The Common Criteria is focused on security products and features, but ISO 27034 is something you want to do for all software that is produced,” he said.

Microsoft Word, for example, is not a security product, but it still needs to be developed securely, so while the Common Criteria would not apply, ISO 27034 does, said Lipner.

Microsoft expects new certifications that reflect secure coding requirements. “We hope they will be based on ISO 27034, because it flexible enough to meet real-world situations,” he said.


Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.