Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows:
Microsoft has used a risk based
approach to guide software security investments through a program of
continuous improvement and processes since the Security Development
Lifecycle (SDL) became a company-wide mandatory policy in 2004.
In 2012, Microsoft used ISO/IEC 27034-1, an international application
security standard as a baseline to evaluate mandatory engineering
policies, standards, and procedures along with their supporting people,
processes, and tools.
All current mandatory application
security related policies, standards, and procedures along with their
supporting people, processes, and tools meet or exceed the guidance in
ISO/IEC 27034-1 as published in 2011.
ISO/IEC 27034 provides guidance for a risk based and continuously
improving software security management system applied across the
application lifecycle. ISO/IEC 27034-1, Annex A contains a case study
illustrating how the SDL conforms to the components and processes of
ISO/IEC 27034.
ISO/IEC 27034-1 is published on the ISO website http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44378.
If you are interested in finding out more about ISO/IEC 27034, the paper “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization” from Reavis Consulting Group covers the value and importance of ISO 27034 for the software industry.
http://blogs.msdn.com/
No hay comentarios:
Publicar un comentario