Microsoft filed comments last week with the U.S. Department of Defense in response to a request for information about Software Assurance practices and the governance of Software Assurance programs, writes Paul Nicholas, senior director of Global Security Strategy at Microsoft, on the Microsoft Security Blog.

Governments are “justifiably concerned” about Software Assurance (SwA) as part of their cybersecurity risk management efforts, and “opening a public dialogue about those concerns is the right way forward,” he writes. “We believe that governmental approaches to SwA should be effective at improving security, enable ongoing innovation, and encourage a global marketplace for IT products and services.” To those ends, Microsoft made three main recommendations:

Software Assurance requirements should be drawn from international standards whenever possible. Governments’ interest in Software Assurance “is timely because the International Standards Organization (ISO) recently finalized the first standard focused on secure software development, ISO/IEC 27034-1:2011.” This standard, Nicholas writes, “can also help an organization validate or identify gaps within its current application security program … Consistent with our commitment to a globally-harmonized approach to cybersecurity concerns, Microsoft has publicly announced its conformance with ISO/IEC 27034-1.”

Software Assurance efforts should be integrated with the Common Criteria Recognition Arrangement.Governments’ focus on Software Assurance “creates an opportunity to advance both global standardization of SwA practices and inter-governmental coordination towards improving software security. Microsoft has observed that governments often have similar SwA concerns. Moreover, many IT companies serve government customers across national boundaries.” Rather than creating “several domestic SwA regimes, we recommend that current SwA requirements based on ISO/IEC 27034 be integrated into ISO/IEC 15408 and the Common Criteria Recognition Arrangement (CCRA).”

Governments should expand Software Assurance-related outreach to industry.Government Software Assurance initiatives “would benefit from further engagement with industry. There are a number of developer-led activities underway in the private and public sectors that involve best practices for harnessing industry expertise in the development of security standards. For example, the Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective SwA methods.”

To read Nicholas’ full post, head over to the Microsoft Security Blog.

You might also be interested in:

· Personal technology is changing lives around the world – what we learned from talking to 10,000 people in 10 countries
· Study shows advantages of devices that can help students through school and beyond
· #MSFTCOSO POV: Safer Internet Day to tackle building a “better” Web for kids

Suzanne Choney
Microsoft News Center Staff