News

Microsoft Broadens Secure Software Development Initiative

• By Kurt Mackie
• March 06, 2024

Microsoft described its latest "Secure Future Initiative" (SFI) efforts, in a Wednesday announcement.

SFI is a somewhat new company-wide software security engineering approach. It's getting implemented across Microsoft's software, and Microsoft is making new investments to that end, as described in the announcement by Bret Arsenault, Microsoft's corporate vice president and chief cybersecurity advisor.

SFI was first announced as launching back in November. It's a successor to the company's Trustworthy Computing effort, initiated in 2002. Trustworthy Computing had produced the Microsoft Security Development Lifecycle (SDL) software engineering approach in 2004 that Microsoft adopted, although SFI aims to better it.

Continous Security Development Lifecycle
Microsoft's SFI aims to go beyond the older SDL approach with a so-called "Continuous SDL" software development approach (apparently renamed from "Dynamic SDL"). This Continuous SDL approach is tailored more toward addressing emerging patterns when building security into software. It's based on a "proactively evolving security model," Arsenault explained.

With Continuous SDL, security controls get integrated in software "throughout the development lifecycle" via systematic processes, Microsoft explained, in this document on its next-generation SDL:

Security controls are integrated into the engineering platform and tooling (such as Azure, Azure DevOps, GitHub, and our internal automated scanners). Then these controls are monitored and, where possible, automatically enforced.

SFI Funding Efforts
Microsoft described some specific monetary investments as being associated with its SFI efforts.

Microsoft is committed to supporting "memory safe" programming languages, which the U.S. National Security Agency has listed as "C#, Go, Java, Python, Rust and Swift." Microsoft, as part of its SFI effort, donated $1 million to the Rust Foundation in December.

Microsoft also donated "an additional $3.2 million" to the Alpha-Omega project, steered by Amazon and Google, which focuses on open source software security. Microsoft indicated that this donation will help to double the number of open source projects that it analyzes, "including 100 of the most commonly used open source AI libraries." Microsoft is also partnering with the Open Source Security Foundation as part of this effort.

Other Microsoft Software Security Efforts
Microsoft had announced back in November that it planned to use the CodeQL semantic code analysis engine to check code across "100 percent of commercial products." Right now, CodeQL is used across "86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups," the announcement indicated.

The CodeQL effort is not at 100 percent as of yet because of the "specific code repositories and engineering tools requiring additional work," Arsenault explained.

Microsoft also provided updated information about its identity library switch to using the Microsoft Authentication Library (MSAL). MSAL provides for a "unified authentication mechanism" and enables policy compliance management across Microsoft's services. It's now integrated across Microsoft 365 on "all four major platforms: Windows, macOS, iOS and Android," the announcement indicated. MSAL has also been "fully adopted" in Azure services tools, including "Microsoft Visual Studio, Azure SDK and Microsoft Azure CLI." The Microsoft Entra (formerly "Azure Active Directory") identity and access management service processes "over 99% of internal service-to-service authentication requests" using MSAL.

Microsoft is targeting moving its "most widely used applications" over to "standard identity libraries [meaning MSAL] by the end of the year."

Microsoft also explained that it plans to "fully automate the management of Microsoft Entra ID and Microsoft Account (MSA) keys," which will get done by rotating the keys within Hardware Security Modules. Microsoft expects to achieve this automation by "the end of this year."