“It’s time to move away from isolated implementation of the secure development process”, he said, acknowledging that developers have more on their mind than security. “Developers are thinking of new features and functions, and on meeting customer demand in a timely manner.”
Customer demand, however, considered Lipner, now includes security. “We believe that security is a must-have. It’s now a customer demand.” The internet, he observed, is “part of the fabric of society. Not being secure has a significant impact, and is a real-world concern.”
Despite this, announced Lipner, statistics show that only 37% of IT professionals cited that their organisations build products and services with security in mind. Furthermore, 61% of developers are not taking advantage of built-in platform mitigation technologies that exist.
It is Microsoft’s objective – through efforts like the Security Development Conference – to enable developers and organisations to address the roadblocks in the way of secure development and secure design, Lipner explained.
One way to encourage management acceptance is through standardisation and compliance, Lipner advised. “The ISO standard can be a force for management acceptance. We’re excited about ISO 27034-1 and are moving forward to attest to it”, he said, re-enforcing Scott Charney’s keynote message.
ISO 27034-1, Lipner explained, is the “first to focus on the processes and framework needed to build a comprehensive software security programme.” Conformance becomes a competitive differentiator and provides a way for customers to ask whether their suppliers, vendors and technology partners practice secure development. “The standard provides a language in which they can get those answers”, he said. “ISO 27034-1 gives businesses a way to identify the suppliers that are committed to security development practices.”
ISO 27034-1 identifies Microsoft’s secure development lifecycle as a way that will help organisations conform to this standard. “Organisations that use SDL are that much closer to compliance”, Lipner announced.
In reference to his earlier statement that cost is a roadblock to secure development, Lipner said the following; “The cost of secure development is less than the cost of not doing it.”