Microsoft has declared conformance with ISO 27034-1, the first part of a relatively new international standard for secure software development.
The first part of the standard provides an overview of the concepts of application security, and will eventually be backed up by five other parts that currently exist only as working drafts.
“This standard provides clear requirements, benchmarks and examples of secure development processes,” said Scott Charney (pictured), corporate vice-president of Microsoft Trustworthy Computing (TwC).
“It provides software buyers and developers a way to talk about secure development processes in a structured way,” he told attendees of the Security Development Conference 2013 in San Francisco.
The standard provides a common validation language, offers a clear and simple outline for adopting a security development framework and serves as a competitive differentiator in the market, he said.
more on security standards
- NIST revises US federal cyber security standards
- RSA 2013: Standards core to LA County security strategy
- Government names members of Open Standards Board
- RSA 2013: Suppliers need to prepare for new security vulnerability handling standards
- PayPal CISO Michael Barrett bullish on password alternative standard
- Guide: Examining cloud computing security standards, guidelines
Committed to secure software development
ISO 27034 also gives businesses a way to identify suppliers that are committed to secure development practices and a way to demand that commitment by asking for conformance to the standard.
Charney believes the standard will help promote international harmonisation of secure development requirements, avoid divergent schemes and promote public-private partnerships for improving security.
“We encourage others in the software industry to conform and software users to ask for conformance as part of their procurement processes,” he said.
In the light of increased concern about supply chain security, said Charney, the standard provides a way to measure and improve security in a way that is scalable and repeatable.
From conformance to certification
While no third-party certification is available yet, by declaring conformance, Microsoft hopes to set an example to the rest of the software industry, said Steve Lipner, partner director, security software, at TwC.
“We want to encourage the industry to look at the standard and think about declaring conformance, and certification will come in time,” he told Computer Weekly.
Microsoft’s objective, he said, is to kick off the process and build momentum around the standard, which is only around 18 months old – relatively young in terms of ISO standards.
“Any company that is already doing secure software development and keeping track of its processes will not find it a big leap to conform to ISO 27034,” he said.
Microsoft believes that standardisation for secure development can help the C-suite and IT business decision-makers better understand the benefits of adopting a new process.
“We are excited about ISO 27034, and that is why Microsoft has declared conformance to the standard,” said Lipner.
Any company that is already doing secure software development and keeping track of its processes will not find it a big leap to conform to ISO 27034
Steve Lipner, Microsoft TwC
Secure coding across all software categories
With reference to the Common Criteria for Information Technology Security Evaluation (ISO 15408), Lipner said ISO 27034 applies to all software, not just security software.
“The Common Criteria is focused on security products and features, but ISO 27034 is something you want to do for all software that is produced,” he said.
Microsoft Word, for example, is not a security product, but it still needs to be developed securely, so while the Common Criteria would not apply, ISO 27034 does, said Lipner.
Microsoft expects new certifications that reflect secure coding requirements. “We hope they will be based on ISO 27034, because it flexible enough to meet real-world situations,” he said.