Last week, Microsoft filed comments with the U.S. Department of Defense in response to a Request for Information regarding software assurance (SwA) practices and the governance of SwA programs. We were pleased to have the opportunity to provide input and share our experiences building a robust SwA program. 

Microsoft has invested significantly in secure development practices across a broad range of software products and online services since the inception of our Trustworthy Computing initiative over 10 years ago.  Our Security Development Lifecycle (SDL), which is a software development process aimed at helping developers produce more secure software, has been utilized by tens of thousands of engineers in the development of Microsoft products and services.  To help promote stronger security across the Information Technology (IT) ecosystem, we freely share our SDL tools and processes for others to utilize and adapt to their unique security needs.

Governments are justifiably concerned about SwA as part of their cybersecurity risk management efforts, and opening a public dialogue about those concerns is the right way forward. We believe that governmental approaches to SwA should be effective at improving security, enable ongoing innovation, and encourage a global marketplace for IT products and services.  We have made three main recommendations to help advance these ends:

SwA requirements should be drawn from international standards whenever possible.  Governments’ interest in SwA is timely because the International Standards Organization (ISO) recently finalized the first standard focused on secure software development, ISO/IEC 27034-1:2011.  This standard can also help an organization validate or identify gaps within its current application security program.  Additionally, this standard can help an organization implement aspects of ISO/IEC 27001, “Requirements for information security management systems,” via the systematic approach to risk management shared by the standards.  Consistent with our commitment to a globally-harmonized approach to cybersecurity concerns, Microsoft has publicly announced its conformance with ISO/IEC 27034-1.

SwA efforts should be integrated with the Common Criteria Recognition Arrangement.  Governments’ focus on SwA creates an opportunity to advance both global standardization of SwA practices and inter-governmental coordination towards improving software security.   Microsoft has observed that governments often have similar SwA concerns.  Moreover, many IT companies serve government customers across national boundaries.  Accordingly, rather than establishing several domestic SwA regimes, we recommend that current SwA requirements based on ISO/IEC 27034 be integrated into ISO/IEC 15408 and the Common Criteria Recognition Arrangement (CCRA).

Governments should expand SwA-related outreach to industry.  Government SwA initiatives would benefit from further engagement with industry.  There are a number of developer-led activities underway in the private and public sectors that involve best practices for harnessing industry expertise in the development of security standards.  For example, the Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective SwA methods.

We are encouraged by the Department of Defense’s interest in to a strategic approach to SwA, and we are optimistic that any forthcoming SwA program would reinforce international standards and international cooperation.  We look forward to further engagement with the Department on this important topic.

Paul Nicholas
Senior Director, Global Security Strategy
Microsoft Corporation