Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.
Today at its Security Development Conference the company has issued a declaration of conformity with ISO 27034-1, an international standard that addresses secure coding practices as well as the organizational framework in which code is developed.
Microsoft says its security development lifecycle meets or exceeds requirements of ISO 27034-1, meaning that other organizations that follow SDL are that much closer to ISO 27034-1 compliance. An addendum to the standard cites SDL as a template that can help organizations comply, Microsoft says.
The declaration comes from Microsoft and is not the same as if a separate certification body had reviewed Microsoft practices and declared them compliant.
Software developed in compliance with the standard comes with some assurance that it is less likely to be vulnerable to exploits. In addition, organizations that develop in-house applications in accordance with the standard have some assurance that the investment they make in compliance will put them on a track to what is widely regarded as a proven route to more secure code.
Coding practices could use greater attention to security, according to a survey commissioned by Microsoft last fall. Of 2,726 respondents made up of IT pros and application developers, 37% say their organizations build their products with security in mind. Of the 492 developers in the poll 61% say they don't take advantage of risk mitigation technologies that already exist such as address space layout randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and data execution prevention (DEP).
The survey indicates that reasons for failing to use these techniques include convincing management that the cost of employing them is worthwhile.