Microsoft Commits to Secure Coding Standard

Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.

Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.

Today at its Security Development Conference the company has issued a declaration of conformity with ISO 27034-1, an international standard that addresses secure coding practices as well as the organizational framework in which code is developed.

[ RELATED:Microsoft, Juniper, others in coding consortium issue guidelines for safer applications

SURVEY:Security practices wanting in virtual machine world

HELP:15 (FREE!) security tools you should try]

Microsoft says its security development lifecycle meets or exceeds requirements of ISO 27034-1, meaning that other organizations that follow SDL are that much closer to ISO 27034-1 compliance. An addendum to the standard cites SDL as a template that can help organizations comply, Microsoft says.

The declaration comes from Microsoft and is not the same as if a separate certification body had reviewed Microsoft practices and declared them compliant.

Software developed in compliance with the standard comes with some assurance that it is less likely to be vulnerable to exploits. In addition, organizations that develop in-house applications in accordance with the standard have some assurance that the investment they make in compliance will put them on a track to what is widely regarded as a proven route to more secure code.

Coding practices could use greater attention to security, according to a survey commissioned by Microsoft last fall. Of 2,726 respondents made up of IT pros and application developers, 37% say their organizations build their products with security in mind. Of the 492 developers in the poll 61% say they don't take advantage of risk mitigation technologies that already exist such as address space layout randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and data execution prevention (DEP).

The survey indicates that reasons for failing to use these techniques include convincing management that the cost of employing them is worthwhile.

Tim Greene covers Microsoft and unified communications for Network World and writes theA Mostly Microsoft blog. Reach him atA tgreene@nww.comA and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

This story, "Microsoft Commits to Secure Coding Standard" was originally published by Network World.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.