We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,785 News Articles

Microsoft commits to secure coding standard

Microsoft says its coding practices and its corporate management structure both comply with an international application security standard to encourage secure software development.

Today at its Security Development Conference the company has issued a declaration of conformity with ISO 27034-1, an international standard that addresses secure coding practices as well as the organizational framework in which code is developed.

[ RELATED:Microsoft, Juniper, others in coding consortium issue guidelines for safer applications

SURVEY:Security practices wanting in virtual machine world

HELP:15 (FREE!) security tools you should try]

Microsoft says its security development lifecycle meets or exceeds requirements of ISO 27034-1, meaning that other organizations that follow SDL are that much closer to ISO 27034-1 compliance. An addendum to the standard cites SDL as a template that can help organizations comply, Microsoft says.

The declaration comes from Microsoft and is not the same as if a separate certification body had reviewed Microsoft practices and declared them compliant.

Software developed in compliance with the standard comes with some assurance that it is less likely to be vulnerable to exploits. In addition, organizations that develop in-house applications in accordance with the standard have some assurance that the investment they make in compliance will put them on a track to what is widely regarded as a proven route to more secure code.

Coding practices could use greater attention to security, according to a survey commissioned by Microsoft last fall. Of 2,726 respondents made up of IT pros and application developers, 37% say their organizations build their products with security in mind. Of the 492 developers in the poll 61% say they don't take advantage of risk mitigation technologies that already exist such as address space layout randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and data execution prevention (DEP).

The survey indicates that reasons for failing to use these techniques include convincing management that the cost of employing them is worthwhile.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.


IDG UK Sites

Google Fit vs Apple Health Kit: What's the difference?

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Introducing generation tech

IDG UK Sites

This animated film reveals the importance of designing for everyone