This morning at the Security Development Conference in San Francisco, I am joined by hundreds of organizations that have traveled from all over the world to learn more about proven practices in security development that can help reduce an organization’s risk to threats on the Internet. As we anxiously await the two keynotes by Scott Charney and Howard Schmidt to kick off the day, I am reminded of the early days of computing when security development was an afterthought for many organizations.
The threat landscape has evolved quite a bit over the past decade and the importance of software security is more evident than ever. To see so many security professionals in attendance at this year’s conference makes me cautiously optimistic that more and more organizations are starting to take application security seriously.
Despite the growing awareness on the need for application security, adoption numbers remain low. A recent Microsoft survey found that only 37% of IT Professionals worldwide cited their organizations as building their products and services with security in mind. In that same study, 61% of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. The three biggest roadblocks cited by IT professions and developers were management approval, lack of support and training and cost.
Today at the conference, Microsoft put a spotlight on security development challenges facing the industry and highlighted ISO/IEC 27034-1 as an important advancement. As part of this, Microsoft announced its Declaration of Conformity to ISO/IEC 27034-1. By publically conforming to the standard, we hope it will serve as an example for other businesses looking to make a commitment to secure development. For more information about ISO 27034-1 and the value it brings, check out a paper by Jim Reavis titled “The emergence of software security standards: ISO/IEC 277034-1:2011 and your organization.” Microsoft also published a paper on “Secure software trends in healthcare” which highlights Accuvent as an organization that has adopted a Security Development Lifecycle process. You can learn more about these announcements in a blog post from Steve Lipner, Partner Director of Software Security at Microsoft.
Over the course of two days, leading organizations at the conference including Adobe, Cisco, PayPal, Twitter, Verizon and HP will share their perspectives and experiences on the importance of secure application development, best practices and how security professionals can accelerate adoption within their organizations. If you are unable to attend in person, I encourage you to follow this blog as we look to recap the event and share video interviews with the various keynote speakers and attendees.