News

Microsoft Broadens Secure Software Development Initiative

Microsoft described its latest "Secure Future Initiative" (SFI) efforts, in a Wednesday announcement.

SFI is a somewhat new company-wide software security engineering approach. It's getting implemented across Microsoft's software, and Microsoft is making new investments to that end, as described in the announcement by Bret Arsenault, Microsoft's corporate vice president and chief cybersecurity advisor.

SFI was first announced as launching back in November. It's a successor to the company's Trustworthy Computing effort, initiated in 2002. Trustworthy Computing had produced the Microsoft Security Development Lifecycle (SDL) software engineering approach in 2004 that Microsoft adopted, although SFI aims to better it.

Continous Security Development Lifecycle
Microsoft's SFI aims to go beyond the older SDL approach with a so-called "Continuous SDL" software development approach (apparently renamed from "Dynamic SDL"). This Continuous SDL approach is tailored more toward addressing emerging patterns when building security into software. It's based on a "proactively evolving security model," Arsenault explained.

With Continuous SDL, security controls get integrated in software "throughout the development lifecycle" via systematic processes, Microsoft explained, in this document on its next-generation SDL:

Security controls are integrated into the engineering platform and tooling (such as Azure, Azure DevOps, GitHub, and our internal automated scanners). Then these controls are monitored and, where possible, automatically enforced.

SFI Funding Efforts
Microsoft described some specific monetary investments as being associated with its SFI efforts.

Microsoft is committed to supporting "memory safe" programming languages, which the U.S. National Security Agency has listed as "C#, Go, Java, Python, Rust and Swift." Microsoft, as part of its SFI effort, donated $1 million to the Rust Foundation in December.

Microsoft also donated "an additional $3.2 million" to the Alpha-Omega project, steered by Amazon and Google, which focuses on open source software security. Microsoft indicated that this donation will help to double the number of open source projects that it analyzes, "including 100 of the most commonly used open source AI libraries." Microsoft is also partnering with the Open Source Security Foundation as part of this effort.

Other Microsoft Software Security Efforts
Microsoft had announced back in November that it planned to use the CodeQL semantic code analysis engine to check code across "100 percent of commercial products." Right now, CodeQL is used across "86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups," the announcement indicated.

The CodeQL effort is not at 100 percent as of yet because of the "specific code repositories and engineering tools requiring additional work," Arsenault explained.

Microsoft also provided updated information about its identity library switch to using the Microsoft Authentication Library (MSAL). MSAL provides for a "unified authentication mechanism" and enables policy compliance management across Microsoft's services. It's now integrated across Microsoft 365 on "all four major platforms: Windows, macOS, iOS and Android," the announcement indicated. MSAL has also been "fully adopted" in Azure services tools, including "Microsoft Visual Studio, Azure SDK and Microsoft Azure CLI." The Microsoft Entra (formerly "Azure Active Directory") identity and access management service processes "over 99% of internal service-to-service authentication requests" using MSAL.

Microsoft is targeting moving its "most widely used applications" over to "standard identity libraries [meaning MSAL] by the end of the year."

Microsoft also explained that it plans to "fully automate the management of Microsoft Entra ID and Microsoft Account (MSA) keys," which will get done by rotating the keys within Hardware Security Modules. Microsoft expects to achieve this automation by "the end of this year."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.