Steve Lipner here. This morning Scott Charney announced in his keynote at the Security Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows:
Microsoft has used a risk based approach to guide software security investments through a program of continuous improvement and processes since the Security Development Lifecycle (SDL) became a company-wide mandatory policy in 2004. In 2012, Microsoft used ISO/IEC 27034-1, an international application security standard as a baseline to evaluate mandatory engineering policies, standards, and procedures along with their supporting people, processes, and tools.
All current mandatory application security related policies, standards, and procedures along with their supporting people, processes, and tools meet or exceed the guidance in ISO/IEC 27034-1 as published in 2011.
ISO/IEC 27034 provides guidance for a risk based and continuously improving software security management system applied across the application lifecycle. ISO/IEC 27034-1, Annex A contains a case study illustrating how the SDL conforms to the components and processes of ISO/IEC 27034. ISO/IEC 27034-1 is published on the ISO website http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44378.
If you are interested in finding out more about ISO/IEC 27034, the paper “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization” from Reavis Consulting Group covers the value and importance of ISO 27034 for the software industry.