 |
| Concept image for cybersecurity generated by Dream by WOMBO. |
Three areas of engineering advancement will take priority: transforming software development, implementing new identity protections, and driving faster vulnerability responses. "These advances comprise what we’re calling the Secure Future Initiative. Collectively, they improve security for customers both in the near term and in the future, against cyberthreats we anticipate will increase over the horizon," said Bell, Rajesh Jha, Microsoft Executive VP, Experiences and Devices; and Scott Guthrie, Microsoft Executive VP, Cloud and AI; in a blog post.
Specifically, Microsoft will:
Deliver software that is secure by design, by default, in deployment, and in operation. Microsoft's Security Development Lifecycle (SDL) will turn into “dynamic SDL” (dSDL) through the application of continuous integration and continuous delivery (CI/CD). Protection against emerging cyberthreats will be integrated as the company codes, tests, deploys, and operates.
Threat modelling will be accelerated and automated. CodeQL will be used for code analysis across all commercial products and memory-safe languages (such as C#, Python, Java, and Rust). THe move is expected to eliminate "whole classes of traditional software vulnerability", the three said.
Microsoft will further implement Azure tenant baseline controls (99 controls across nine security domains) by default across internal tenants automatically. "This will reduce engineering time spent on configuration management, ensure the highest security bar, and provide an adaptive model where we add capability based on new operational learning and emerging adversary threats," the blog post stated.
In addition to these defaults, Microsoft will ensure adherence and auto-remediation of settings in deployment. The goal is to move to 100% auto-remediation without impacting service availability. New security measures as defaults are also in the pipeline.
The company committed to providing a unified and consistent way of managing and verifying the identities and access rights of users, devices, and services across all our products and platforms. "Our goal is to make it even harder for identity-focused espionage and criminal operators to impersonate users," Bell, Jha and Guthrie said.
Standard identity libraries (such as Microsoft Authentication Library) are to be enforced across all of Microsoft, which implement advanced identity defenses like token binding, continuous access evaluation, advanced application attack detections, and additional identity logging support. These capabilities are freely available to non-Microsoft application developers.
Identity-signing keys are being moved to an integrated, hardened Azure hardware security module (HSM) and confidential computing infrastructure. Signing keys will not only encrypted at rest and in transit, but also during computational processes. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access at all.
When it comes to vulnerability response, Microsoft is pushing for more transparency industry-wide. The company plans to cut the time it takes to mitigate cloud vulnerabilities by 50%, and said it will take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers.
"Without full transparency on vulnerabilities, the security community cannot learn collectively—defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach," the three co-authors explained.
No comments:
Post a Comment