Microsoft commits to secure coding standard

By , Network World |  Security, Microsoft, secure coding

Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.

Today at its Security Development Conference the company has issued a declaration of conformity with ISO 27034-1, an international standard that addresses secure coding practices as well as the organizational framework in which code is developed.

[ RELATED:Microsoft, Juniper, others in coding consortium issue guidelines for safer applications

SURVEY:Security practices wanting in virtual machine world

HELP:15 (FREE!) security tools you should try]

Microsoft says its security development lifecycle meets or exceeds requirements of ISO 27034-1, meaning that other organizations that follow SDL are that much closer to ISO 27034-1 compliance. An addendum to the standard cites SDL as a template that can help organizations comply, Microsoft says.

The declaration comes from Microsoft and is not the same as if a separate certification body had reviewed Microsoft practices and declared them compliant.

Software developed in compliance with the standard comes with some assurance that it is less likely to be vulnerable to exploits. In addition, organizations that develop in-house applications in accordance with the standard have some assurance that the investment they make in compliance will put them on a track to what is widely regarded as a proven route to more secure code.

Coding practices could use greater attention to security, according to a survey commissioned by Microsoft last fall. Of 2,726 respondents made up of IT pros and application developers, 37% say their organizations build their products with security in mind. Of the 492 developers in the poll 61% say they don't take advantage of risk mitigation technologies that already exist such as address space layout randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and data execution prevention (DEP).

The survey indicates that reasons for failing to use these techniques include convincing management that the cost of employing them is worthwhile.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

Don't miss...

Top 10 programming skills that will get you hired
Top 10 programming skills that will get you hired

25 crazy and scary things the TSA has found on travelers

8 famous software bugs in space

  Sign me up for ITworld's FREE daily newsletter!

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question