Evolving Microsoft Safety Growth Lifecycle


The software program builders and programs engineers at Microsoft work with large-scale, complicated programs, requiring collaboration amongst numerous and international groups, all whereas navigating the calls for of speedy technological development, and at this time we’re sharing how they’re tackling safety challenges within the white paper: “Constructing the following technology of the Microsoft Safety Growth Lifecycle (SDL)”, created by pioneers of future software program improvement practices.

Twenty years of evolution

It’s been 20 years since we launched the Microsoft Safety Growth Lifecycle (SDL)—a set of practices and instruments that assist builders construct safer software program, now used industry-wide. Mirroring the tradition of Microsoft to uphold safety and born out of the Reliable Computing initiative, the intention of SDL was—and nonetheless is—to embed safety and privateness rules into know-how from the beginning and stop vulnerabilities from reaching prospects’ environments.

In 20 years, the objective of SDL hasn’t modified. However the software program improvement and cybersecurity panorama has—quite a bit.

With cloud computing, Agile methodologies, and steady integration/steady supply (CI/CD) pipeline automation, software program is shipped sooner and extra regularly. The software program provide chain has turn into extra complicated and susceptible to cyberattacks. And new applied sciences like AI and quantum computing pose new challenges and alternatives for safety.

SDL is now a crucial pillar of the Microsoft Safe Future Initiative, a multi-year dedication that advances the best way we design, construct, take a look at, and function our Microsoft Cloud know-how to make sure that we ship options assembly the very best attainable customary of safety.

Side view of a man, with monitors in the background, and a graphic design overlay

Subsequent technology of the Microsoft SDL

Learn the way we’re tackling safety challenges.

Steady analysis

Microsoft has been evolving the SDL to what we name “steady SDL”. Briefly, Microsoft now measures safety state extra regularly and all through the event lifecycle. Why? As a result of occasions have modified, merchandise are not shipped on an annual or biannual foundation. With the cloud and CI/CD practices, companies are shipped each day or generally a number of occasions a day.

Knowledge-driven methodology

To attain scale throughout Microsoft, we automate measurement with a data-driven methodology when attainable. Knowledge is collected from varied sources, together with code evaluation instruments like CodeQL. Our compliance engine makes use of this knowledge to set off actions when wanted.

CodeQL: A static evaluation engine utilized by builders to carry out safety evaluation on code outdoors of a dwell surroundings.

Whereas some SDL controls might by no means be absolutely automated, the data-driven methodology helps ship higher safety outcomes. In pilot deployments of CodeQL, 92% of motion objects had been addressed and resolved in a well timed trend. We additionally noticed a 77% enhance in CodeQL onboarding amongst pilot companies.

Clear, traceable proof

Software program provide chain safety has turn into a high precedence because of the rise of high-profile assaults and the rise in dependencies on open-source software program. Transparency is especially necessary, and Microsoft has pioneered traceability and transparency within the SDL for years. Simply as one instance, in response to Govt Order 14028, we added a requirement to the SDL to generate software program payments of fabric (SBOMs) for better transparency.

However we didn’t cease there.

To supply transparency into how fixes occur, we now architect the storage of proof into our tooling and platforms. Our compliance engine collects and shops knowledge and telemetry as proof. By doing so, when the engine determines {that a} compliance requirement has been met, we are able to level to the information used to make that dedication. The output is obtainable via an interconnected “graph”, which hyperlinks collectively varied indicators from developer exercise and tooling outputs to create high-fidelity insights. This helps us give prospects stronger assurances of our safety end-to-end.

Design, Architecture, and Governance step by step delivery

Modernized practices

Past making the SDL automated, data-driven, and clear, Microsoft can also be targeted on modernizing the practices that the SDL is constructed on to maintain up with altering applied sciences and guarantee our services and products are safe by design and by default. In 2023, six new necessities had been launched, six had been retired, and 19 obtained main updates. We’re investing in new risk modeling capabilities, accelerating the adoption of latest memory-safe languages, and specializing in securing open-source software program and the software program provide chain.

We’re dedicated to offering continued assurance to open-source software program safety, measuring and monitoring open-source code repositories to make sure vulnerabilities are recognized and remediated on a steady foundation. Microsoft can also be devoted to bringing accountable AI into the SDL, incorporating AI into our safety tooling to assist builders determine and repair vulnerabilities sooner. We’ve constructed new capabilities just like the AI Crimson Workforce to seek out and repair vulnerabilities in AI programs.

By introducing modernized practices into the SDL, we are able to keep forward of attacker innovation, designing sooner defenses that defend towards new lessons of vulnerabilities.

How can steady SDL profit you?

Steady SDL can assist you in a number of methods:

  • Peace of thoughts: You’ll be able to proceed to belief that Microsoft services and products are safe by design, by default, and in deployment. Microsoft follows the continual SDL for software program improvement to repeatedly consider and enhance its safety posture.
  • Finest practices: You’ll be able to be taught from Microsoft’s finest practices and instruments to use them to your personal software program improvement. Microsoft shares its SDL steerage and assets with the developer group and contributes to open-source safety initiatives.
  • Empowerment: You’ll be able to put together for the way forward for safety. Microsoft invests in new applied sciences and capabilities that tackle rising threats and alternatives, akin to post-quantum cryptography, AI safety, and memory-safe languages.

The place are you able to be taught extra?

For extra particulars and visible demonstrations on steady SDL, learn the complete white paper by SDL pioneers Tony Rice and David Ornstein.

Be taught extra in regards to the Safe Future Initiative and the way Microsoft builds safety into every thing we design, develop, and deploy.


Leave a comment