Securing the development and deployment of software is vital to reducing cybersecurity risks for independent software vendors. By following industry standard coding practices such as OWASP Top 10 or SANS Top 25 CWE, and by ensuring developers receive regular training in secure software development, ISVs can help bring their apps to market with the latest compliance standards to protect customer data.

If the software is not designed with security in mind, it can lead to vulnerabilities. This includes not following secure coding practices and not considering potential threats during the design phase. Using third-party libraries or components can also introduce vulnerabilities if those components are not regularly updated or if they contain security flaws.

Without thorough security testing, vulnerabilities can go undetected. This includes both static code analysis and dynamic testing to identify potential security issues. If access controls are not properly implemented, unauthorized users may gain access to sensitive data or systems. Ensuring that only authorized personnel have access to the development environment and the codebase can help mitigate potential risks.

Developers who are not trained in secure coding practices may inadvertently introduce vulnerabilities into the code. Regular training and awareness programs are essential to ensure that developers are aware of the latest security threats and best practices. Incorrect configuration of development and production environments can lead to security vulnerabilities. This includes misconfigured servers, databases, and other infrastructure components.

By addressing these risks through secure development practices, regular security assessments, and continuous monitoring, ISVs can significantly reduce the likelihood of security breaches during the software development stage and safeguard customer data.

Microsoft 365 Certification validates secure software development best practices

The secure software development/deployment control group focuses on ensuring ISVs implement strong security measures against various threats during software development. The Microsoft 365 Certification validates compliance by reviewing development standards and best practices for secure coding, including OWASP Top 10 or SANS Top 25 CWE.

ISVs show that developers undergo relevant secure coding and software development training annually by way of certificates or training logs. Auditors will review policies relating to code changes and review/approval processes, that appropriate access controls are in place and enforced through multi-factor authentication (MFA). And all releases made into the production environments are reviewed and approved prior to their deployment.

Additionally, this control set is partially automated using ACAT, The App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.

Next steps

To learn more on how Microsoft 365 Certification validates change controls are in place for your application, visit the secure software development evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.