24 Core Software Security
the security posture of an organization. Competition and marketing hype
drove confusion, with different organizations standardizing on differ-
ent attestations. The authors have seen organizations pushing their cus-
tomers (in most cases, other companies) to adopt their recommended
attestation. For Fortune 500 companies this meant getting multiple
attestations/certifications as a proof of security posture. It didn’t help
that most of these attestations/certifications focused on “compliance
controls” or “policy based security.” The situation became worse with
regulations such as SOX, GLBA, Safe Harbor, and HIPAA adding to the
confusion. Companies often went for a set of certifications, one each for
compliance, security, privacy, credit card, physical security, and so on.
The ISO)/IEC developed the ISO/IEC 27001 (incorporating ISO/
IEC 17799, which had been the previous de facto ISO standard for
information security). It is an information security management system
(ISMS) standard that specifies a management system intended to bring
information security under formal management control. It mandates spe-
cific requirements that need to be met when an organization adopts the
standard. The standard addresses information security holistically and
encompasses everything from physical security to compliance. Industry
has enthusiastically adopted the practices, and ISO/IEC 27001 is the
leading standard for an information security management system (ISMS)
today. Most of the controls from other standards can be mapped back
to ISO/IEC 27001. This has enabled organizations to consolidate mul-
tiple security efforts under one standard, pursue a single framework with
holistic security in mind, and collect metrics in a consistent manner to
measure and govern security in an organization.
The authors see the landscape for software security (and SDL) simi-
lar to what it was for information security as a whole a few years ago
before ISO/IEC 27001 came along. There are multiple SDL method-
ologies (open and proprietary), each claiming to be better than the next.
Confusion prevails over the best way to accomplish software security in
an organization. Applying any one framework to an organization either
requires the organization to adopt different processes or to customize an
SDL framework that will work in their environment. With the coming
of ISO/IEC 27034, the authors see consolidation on software security
standards/framework as the ISO/IEC 27001 has done for information
security. Even in its infancy, there is awareness of the importance of
ISO/IEC 27034. Microsoft has declared its SDL methodology to be in