News

Microsoft Broadens Secure Software Development Initiative

Microsoft described its latest "Secure Future Initiative" (SFI) efforts, in a Wednesday announcement.

SFI is a somewhat new company-wide software security engineering approach. It's getting implemented across Microsoft's software, and Microsoft is making new investments to that end, as described in the announcement by Bret Arsenault, Microsoft's corporate vice president and chief cybersecurity advisor.

SFI was first announced as launching back in November. It's a successor to the company's Trustworthy Computing effort, initiated in 2002. Trustworthy Computing had produced the Microsoft Security Development Lifecycle (SDL) software engineering approach in 2004 that Microsoft adopted, although SFI aims to better it.

Continous Security Development Lifecycle
Microsoft's SFI aims to go beyond the older SDL approach with a so-called "Continuous SDL" software development approach (apparently renamed from "Dynamic SDL"). This Continuous SDL approach is tailored more toward addressing emerging patterns when building security into software. It's based on a "proactively evolving security model," Arsenault explained.

With Continuous SDL, security controls get integrated in software "throughout the development lifecycle" via systematic processes, Microsoft explained, in this document on its next-generation SDL:

Security controls are integrated into the engineering platform and tooling (such as Azure, Azure DevOps, GitHub, and our internal automated scanners). Then these controls are monitored and, where possible, automatically enforced.

SFI Funding Efforts
Microsoft described some specific monetary investments as being associated with its SFI efforts.

Microsoft is committed to supporting "memory safe" programming languages, which the U.S. National Security Agency has listed as "C#, Go, Java, Python, Rust and Swift." Microsoft, as part of its SFI effort, donated $1 million to the Rust Foundation in December.

Microsoft also donated "an additional $3.2 million" to the Alpha-Omega project, steered by Amazon and Google, which focuses on open source software security. Microsoft indicated that this donation will help to double the number of open source projects that it analyzes, "including 100 of the most commonly used open source AI libraries." Microsoft is also partnering with the Open Source Security Foundation as part of this effort.

Other Microsoft Software Security Efforts
Microsoft had announced back in November that it planned to use the CodeQL semantic code analysis engine to check code across "100 percent of commercial products." Right now, CodeQL is used across "86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups," the announcement indicated.

The CodeQL effort is not at 100 percent as of yet because of the "specific code repositories and engineering tools requiring additional work," Arsenault explained.

Microsoft also provided updated information about its identity library switch to using the Microsoft Authentication Library (MSAL). MSAL provides for a "unified authentication mechanism" and enables policy compliance management across Microsoft's services. It's now integrated across Microsoft 365 on "all four major platforms: Windows, macOS, iOS and Android," the announcement indicated. MSAL has also been "fully adopted" in Azure services tools, including "Microsoft Visual Studio, Azure SDK and Microsoft Azure CLI." The Microsoft Entra (formerly "Azure Active Directory") identity and access management service processes "over 99% of internal service-to-service authentication requests" using MSAL.

Microsoft is targeting moving its "most widely used applications" over to "standard identity libraries [meaning MSAL] by the end of the year."

Microsoft also explained that it plans to "fully automate the management of Microsoft Entra ID and Microsoft Account (MSA) keys," which will get done by rotating the keys within Hardware Security Modules. Microsoft expects to achieve this automation by "the end of this year."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.