At Microsoft, we’re frequently evolving our cybersecurity technique to remain forward of threats focusing on our merchandise and prospects. As a part of our efforts to prioritize transparency and accountability, we’re launching an everyday collection on milestones and progress of the Safe Future Initiative (SFI)—a multi-year dedication advancing the way in which we design, construct, check, and function our expertise to assist be certain that we ship safe, dependable, and reliable services and products, enabling our prospects to realize their digital transformation targets and shield their knowledge and property from malicious actors.
Microsoft’s mission to empower each individual and each group on the planet to realize extra will depend on safety. We acknowledge that when Microsoft performs a task in pioneering cutting-edge expertise, we even have the duty to paved the way in defending our prospects and our personal infrastructure from cyberthreats. Towards the exponentially rising tempo, scale, and complexity of the safety panorama, it’s important that we evolve to be extra dynamic, proactive, and built-in in our safety mannequin to proceed assembly the altering wants and expectations of our prospects and the market. Our wealthy historical past in innovation is a testomony to our dedication to delivering impactful and reliable services and products that that form industries and remodel lives. This legacy continues as we persistently work to set new benchmarks for safeguarding our digital future.
Increasing upon our basis of built-in safety, in November 2023 we launched the Safe Future Initiative (SFI) to instantly tackle the escalating pace, scale, and class of cyberattacks we’re witnessing immediately. This initiative is an anticipatory technique reflecting the actions we’re taking to “construct higher and reply higher” in safety, utilizing automation and AI to scale this work, and strengthen identification safety in opposition to extremely refined cyberattacks. It’s not about tailoring our defenses to a single cyberattack: SFI underscores the significance of a frequently and proactively evolving safety mannequin that adapts to the ever-changing digital panorama.
4 months have handed since we launched SFI, and the achievements in our engineering developments display the concrete actions we’ve applied to ensure that Microsoft’s safety infrastructure stays robust in a continuously altering digital surroundings. Learn extra beneath for updates on the initiative.
Remodeling software program improvement with automation and AI
As famous in our November 2, 2023 SFI announcement, we’re evolving our safety improvement lifecycle (SDL) to steady SDL—which we outline as making use of systematic processes to repeatedly combine cybersecurity safety in opposition to rising risk patterns as our engineers code, check, deploy, and function our programs and repair. Learn extra about steady SDL right here.
As a part of our evolution to steady SDL, we’re deploying CodeQL for code evaluation to 100% of our business merchandise. CodeQL is a strong static evaluation device within the software program safety house. It affords superior capabilities throughout quite a few programming languages that detect advanced safety errors inside supply code. Whereas our code repos undergo rigorous SDL evaluation leveraging conventional tooling, as a part of our SFI work we now use CodeQL to cowl 86% of our Azure DevOps code repositories from our business companies in our Cloud and AI, enterprise and units, safety and strategic missions, and expertise teams. We’re increasing this additional and anticipate that finishing the consolidation technique of the final 14% will likely be a fancy, multi-year journey because of particular code repositories and engineering instruments requiring extra work. In 2023, we onboarded multiple billion strains of supply code to CodeQL, which highlights our dedication towards progress.
As a part of efforts to broaden adoption of reminiscence protected languages, we donated USD1 million in December 2023 to the Rust Basis, an integral associate in stewarding the Rust programming language. Moreover, we’re offering an extra USD3.2 million to the Alpha-Omega mission. In partnership with the Open Supply Safety Basis (OpenSSF) and co-led with Google and Amazon, Alpha-Omega’s mission is to catalyze safety enhancements to probably the most extensively deployed open supply software program initiatives and ecosystems important to international infrastructure. Our contribution this 12 months will assist broaden protection, greater than doubling the variety of extensively deployed open supply initiatives we analyze, together with 100 of probably the most generally used open supply AI libraries. The Alpha-Omega 2023 Annual Report highlights safety and course of enhancements from final 12 months and strides towards fostering a sustainable tradition of safety inside open supply communities.
Collectively, our SFI-driven advances in increasing steady SDL, fostering safe open supply updates, and adopting reminiscence protected languages strengthen the inspiration of software program all through Microsoft’s personal merchandise and platforms, in addition to the broader business.
Strengthening identification safety in opposition to extremely refined assaults
As a part of our SFI engineering advances, we’re imposing the usage of normal identification libraries such because the Microsoft Authentication Library (MSAL) enterprise-wide throughout Microsoft. This initiative is pivotal in attaining a cohesive and dependable identification verification framework. It facilitates seamless, policy-compliant administration of person, machine, and repair identities throughout all Microsoft platforms and merchandise, guaranteeing a fortified and constant safety posture.
Our efforts have already seen noteworthy achievements in a number of key areas. We’ve reached a significant milestone with full integration of MSAL into Microsoft 365 throughout all 4 main platforms: Home windows, macOS, iOS, and Android marking a major development towards common standardization. This integration ensures that Microsoft 365 purposes are underpinned by a unified authentication mechanism. Within the Azure ecosystem, encompassing important instruments akin to Microsoft Visible Studio, Azure SDK, and Microsoft Azure CLI, MSAL has been totally adopted, underscoring our dedication to safe and streamlined authentication processes inside our improvement instruments. Moreover, over 99% of inner service-to-service authentication requests, utilizing Microsoft Entra for authorization, now make the most of MSAL, highlighting our dedication to boosting safety and effectivity in inter-service communications. In the end, these milestones additional harden identification and authorization throughout our huge property, making it more and more tough for threats and intruders to maneuver between customers and programs.
Wanting forward, we’re setting bold targets to additional bolster our safety infrastructure. By the top of this 12 months, we goal to completely automate the administration of Microsoft Entra ID and Microsoft Account (MSA) keys. This course of will embrace fast rotation and safe storage of keys inside {Hardware} Safety Modules (HSMs), considerably enhancing our safety measures. Moreover, we’re on monitor to make sure that Microsoft’s most generally used purposes transition to plain identification libraries by the top of the 12 months. By these collective efforts we goal to not solely improve safety but additionally enhance the person expertise and streamline authentication processes throughout our product suite.
Keep updated on the newest Safe Future Initiative updates
As we forge forward with the SFI, Microsoft stays unwavering in its dedication to repeatedly evolve our safety posture and supply transparency in our communications. We’re devoted to innovating, defending, and main in an period the place digital threats are continuously altering. The progress we’ve shared immediately is just a fraction of our complete technique to safeguard the digital infrastructure and our prospects who depend on it.
Within the coming months, we’ll proceed to share our progress on enhancing our capabilities, deploying revolutionary applied sciences, and strengthening our collaborations to deal with the complexities of cybersecurity. We’re dedicated to constructing a safer, extra resilient digital world, with a concentrate on transparency and security in each step.
To be taught extra concerning the Microsoft SFI and skim extra particulars on our three engineering advances, go to our built-in safety web site.
Be taught extra about Microsoft Safety options and bookmark the Safety weblog to maintain up with our knowledgeable protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the newest information and updates on cybersecurity.
