Related Links

Top 5 Stories


Microsoft Declares Conformity to ISO 27034-1 and Scott Charney Calls for Industry to Follow

14 May 2013

Opening the Security Development Conference in San Francisco, May 14 2013, Microsoft’s corporate vice president of Trustworthy Computing, Scott Charney, called for vendors and governments to follow Microsoft’s lead in conforming to the ISO 27034-1 standard.

Today, Microsoft “declares its conformity to ISO 27034-1”, announced Charney in his keynote address. The standard, he described, is a “flexible and adaptable framework for implementing and demonstrating secure development practices.” 

Charney called on the audience, Government and vendors to also pledge their conformance to ISO 27034-1, which he considers “allows the even measurement of security.”

Charney spent the majority of his address analysing the evolution of the Secure Development Lifecycle since its birth in 2002. “Steve Lipner once said that the magic of the SDL isn’t that we can do secure development, but that we can apply it across multiple business divisions involving 36,000 engineers, and I always remember that as being so true.”

The Security Development lifecycle is built around five foundations: Policy; training; consulting; tooling; and measurement, Charney said. “The measurement is important not just to determine whether it is being done, but to find out whether it’s having the expected impact. Has running the tool made the product more secure?”

In the early days of the SDL, it was viewed within Microsoft “as a tax. Over time, it became apparent that customers were happier, and thus [SDL] became viewed as a competitive advantage and a value proposition. It was a seminal moment.”

As the SDL matured, customers stopped complaining about security, remembered Charney. “People had a perception of Microsoft code being way too vulnerable. Perception matters – it drives decisions.”

Evolution in attitudes within Microsoft was significant in other ways too. “In the old Microsoft model, developers were King. But it’s not appropriate for any developer – no matter how good – to make a decision or approve a release that might put the company at risk”, said Charney.

The other significant philosophical shift which Charney referred to is the acceptance that vulnerabilities will “never be reduced to zero. We tracked vulnerabilities and saw them reducing at a significant pace – admittedly aided by the fact that the original vulnerability numbers were very high – but knew we’d never get to zero. It’s just not possible”, he said.

Focus was thus shifted to defense in depth, mitigation, and “keeping people secure by using products securely. We need to make the internet as secure – or more secure – than the physical world, without promising complete security which we can’t keep.”


This article is featured in:
Application Security  •  Compliance and Policy  •  Industry News


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×