Software developers and systems engineers at Microsoft work with large, complex systems that require collaboration between diverse and global teams, all while navigating the demands of rapid technological advancements, and today we share with you how they address security challenges in a white paper: “Building the next generation of the Microsoft Security Development Lifecycle (SDL),” created by pioneers of future software development practices.
Two decades of evolution
It’s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)—a set of practices and tools that help developers build more secure software, now used across the industry. Reflecting Microsoft’s security-supportive culture and born out of the Trustworthy Computing initiative, SDL’s goal was—and still is—to embed security and privacy principles into technology from the outset and prevent vulnerabilities from reaching the user’s environment.
In 20 years, the goal of SDL has not changed. But the software development and cybersecurity landscape has—a lot of it.
With cloud computing, Agile methodologies, and continuous integration/continuous delivery (CI/CD) pipeline automation, software is delivered faster and more frequently. The software supply chain has become more complex and vulnerable to cyber attacks. And new technologies such as artificial intelligence and quantum computing pose new challenges and opportunities for security.
SDL is now a key pillar of Microsoft’s Secure Future initiative, a multi-year commitment that advances the way we design, build, test and manage our Microsoft Cloud technology to ensure we deliver solutions that meet the highest possible security standard.
The next generation of Microsoft SDL
Find out how we deal with security challenges.
Continuous evaluation
Microsoft is developing SDL into what we call “continuous SDL”. In short, Microsoft is now measuring security posture more frequently and throughout the development lifecycle. Why? Since times have changed, products are no longer shipped on an annual or bi-annual basis. With cloud and CI/CD practices, services are delivered daily or sometimes multiple times a day.
Data driven methodology
To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from a variety of sources, including code analysis tools such as CodeQL. Our compliance engine uses this data to trigger actions when necessary.
CodeQL: a static analysis engine used by developers to perform security analysis of code outside of a live environment.
While some SDL controls may never be fully automated, a data-driven methodology helps achieve better security results. In CodeQL pilot implementations, 92% of actions were addressed and resolved on time. We also saw a 77% increase in CodeQL onboarding among pilot services.
Transparent, traceable evidence
Software supply chain security has become a top priority due to the rise of high-profile attacks and increasing dependence on open source software. Transparency is particularly important, and Microsoft has been a pioneer in traceability and transparency in SDL for years. As just one example, in response to Executive Order 14028, we added a requirement to SDL to generate a bill of materials (SBOM) for greater transparency.
But we didn’t stop there.
To ensure transparency how fixes happen, we are now designing evidence storage into our tools and platforms. Our compliance engine collects and stores data and telemetry as evidence. That way, when the engine determines that a compliance requirement is met, we can point to the data used to make that determination. The output is available through an interconnected “graph”, which connects various signals from developer activity and tool outputs to create high-fidelity insights. This helps us provide clients with a stronger guarantee of our security from start to finish.
Modernized practices
In addition to making SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices on which SDL is built to keep pace with changing technologies and ensure that our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were withdrawn, and 19 received major updates. We are investing in new threat modeling capabilities, accelerating adoption of new memory-safe languages, and focusing on securing open source software and the software supply chain.
We are committed to providing continuous assurance for the security of open source software, measuring and monitoring open source repositories to ensure that vulnerabilities are identified and corrected on an ongoing basis. Microsoft is also committed to bringing responsible AI to SDL, building AI into our security tools to help developers identify and fix vulnerabilities faster. We’ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.
By implementing modernized practices in SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.
How can continuous SDL benefit you?
Continuous SDL can help you in several ways:
- peaceful souls: You can continue to trust that Microsoft products and services are secure by design, by default, and by implementation. Microsoft follows a continuous SDL for software development to continuously assess and improve its security posture.
- Best practices: You can learn from Microsoft’s best practices and tools to apply to your own software development. Microsoft shares its SDL guidelines and resources with the developer community and contributes to open source security initiatives.
- Empowerment: You can prepare for the future of security. Microsoft is investing in new technologies and capabilities that address emerging threats and opportunities, such as post-quantum cryptography, AI security, and memory-safe languages.
Where can you learn more?
For more details and visual demonstrations of continuous SDL, read the full white paper by SDL pioneers Tony Rice and David Ornstein.
Learn more about the Secure Future Initiative and how Microsoft is building security into everything we design, develop and deploy.