Microsoft expands its 'built-in security' with new Secure Future Initiative

In the wake of several highly publicized security breaches, Microsoft’s CVP and chief cybersecurity advisor announces expanded security efforts to safeguard the company’s software development process.

Microsoft’s Bret Arsenault announced a renewed commitment to software security for the company that incorporates a new Secure Future Initiative (SFI).

SFI was originally announced by Microsoft vice chair and President Brad Smith back in November of 2023 under three tenants of advancing engineering development that include transforming software development, implementing new identity protections, and driving faster vulnerability responses.

Fast forward to earlier this week and Arsenault is adding to that initiative with additional details and updates to SFI.

Evolving development lifecycles

Since announcing SFI, Microsoft has quickly evolved its previous security development lifecycle to a more flexible continuous SDL that supports CodeQL to 100 percent of its commercial products.

• While our code repos go through rigorous SDL assessment leveraging traditional tooling, as part of our SFI work we now use CodeQL to cover 86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups. We are expanding this further and anticipate that completing the consolidation process of the last 14% will be a complex, multi-year journey due to specific code repositories and engineering tools requiring additional work. 

Microsoft also broadened its adoption of memory safe languages, donated to the Rust Foundation to help advance the Rust programming language, as well as investing $3.2M into the Alpha-Omega project, and partnering with Google, Amazon, and Alpha-Omega tangentially on the Open-Source Security Foundation (SSF). Through this strategic support initiative, Microsoft predicts it will hasten its ability to cover, analyze and deploy more open-source projects in the near-future.

Fending off identity attacks with tighter protections

Microsoft has also improved its SFI efforts by enforcing the used of standard identity libraries that includes Microsoft’s own Authentication Library (MSAL).

• Furthermore, over 99% of internal service-to-service authentication requests, using Microsoft Entra for authorization, now utilize MSAL, highlighting our dedication to boosting security and efficiency in inter-service communications. Ultimately, these milestones further harden identity and authorization across our vast estate, making it increasingly difficult for threats and intruders to move between users and systems.

Eventually, Microsoft would like to automate more of its security infrastructure, and by the end of the year it predicts it will be able to fully automate the management process through Microsoft Entra ID and Microsoft Account (MSA) keys by standardizing the identity libraries used in the company’s most used apps.

Transparency into future security efforts

While it might feel counterintuitive to be transparent about security efforts that aim to undercut evolving threats, Microsoft “remains unwavering in its commitment to continuously evolve our security posture and provide transparency in our communications.”

Without giving any solid dates or times, Microsoft is saying that in the ‘coming months’ it will share further progress on its SFI efforts to strengthen the security process surrounding its software development process.