Microsoft, IT Industry Push Software Security Standard
A collection of large software companies has thrown its weight behind two initiatives that attempt to make the process of developing secure software more attainable to smaller software makers.
At the Security Development Conference May 14, Microsoft announced its support for an international standard, ISO 27034, that defines the process and practices that comprise a secure development program. The same day, the Software Assurance Forum for Excellence in Code (SAFECode), an industry association that promotes better development practices, announced the first modules in a free Web-based training program for developers on secure coding practices.
The push by larger software firms underscores that developers need to start designing security into their products from the start, Tim Rains, director of Trustworthy Computing at Microsoft, told eWEEK.
"We believe that companies can't continue to afford to conduct business online without prioritizing security," he said. "Developers should download the materials, leverage all the tools they can get for free, and look at this ISO standard."
Microsoft has pushed heavily for secure software since co-founder, and then chairman, Bill Gates kicked off its Trustworthy Computing Initiative in 2002 with a missive to the company's workers to put security ahead of features. Microsoft was the only company that managed to report fewer vulnerabilities in 2012 than its 10-year average, according to a study of vulnerability data by NSS Labs.
The International Organization for Standardization (ISO) created the first part of its secure programming techniques document, 27034-1, in November 2011. The document, which gives an overview to companies and developers of the elements that constitute a secure development process, can be a good foundation for companies that want to set security requirements for the purchase of software. The standard also gives developers a starting point to create a program that will improve their software's security.
"We see this as beneficial to both businesses that sell software and customers that purchase software, because it provides a common language for secure development practices," Rains said. "This is a standard focused on software development, and the first one of its kind to focus on processes and frameworks really needed to develop a comprehensive software security program around development."
An industry group also announced at the Security Development Conference that it had released the first six training modules to introduce programmers and project managers to secure development practices. SAFECode, a group of technology and communications companies that aims to improve the security of software and hardware products, released modules on cross-site request forgery, password security and Windows access controls, among others, on a new training Website May 14. The current content is introductory—or "101" courses under its college curriculum numbering scheme. Future content will include more advanced 201 and 301 courses, Howard Schmidt, executive director of SAFECode and former White House cyber-security advisor, told eWEEK.
"Having some manager folks—who may not be developers but help manage the groups—understand that this is not something that you build on later, but a necessity that you build in from the outset, is important," he said.
The program is sponsored by Adobe, which kicked off its own security development initiative in 2009. The company revamped its development practices and focused on making its ubiquitous Acrobat and Flash software more difficult for attackers to exploit.