{"id":24113,"date":"2024-03-07T16:01:28","date_gmt":"2024-03-08T00:01:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/07\/news-17843\/"},"modified":"2024-03-07T16:01:28","modified_gmt":"2024-03-08T00:01:28","slug":"news-17843","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/07\/news-17843\/","title":{"rendered":"Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software"},"content":{"rendered":"

Credit to Author: David Ornstein and Tony Rice| Date: Thu, 07 Mar 2024 17:00:00 +0000<\/strong><\/p>\n

The software developers and systems engineers at Microsoft work with large-scale, complex systems, requiring collaboration among diverse and global teams, all while navigating the demands of rapid technological advancement, and today we\u2019re sharing how they\u2019re tackling security challenges in the white paper: \u201cBuilding the next generation of the Microsoft Security Development Lifecycle (SDL)\u201d<\/a>, created by pioneers of future software development practices.<\/p>\n

Two decades of evolution<\/h2>\n

It\u2019s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)<\/a>\u2014a set of practices and tools that help developers build more secure software, now used industry-wide. Mirroring the culture of Microsoft to uphold security and born out of the Trustworthy Computing<\/a> initiative, the aim of SDL was\u2014and still is\u2014to embed security and privacy principles into technology from the start and prevent vulnerabilities from reaching customers’ environments.<\/p>\n

In 20 years, the goal of SDL hasn\u2019t changed. But the software development and cybersecurity landscape has\u2014a lot.<\/p>\n

With cloud computing, Agile methodologies, and continuous integration\/continuous delivery (CI\/CD) pipeline automation, software is shipped faster and more frequently. The software supply chain has become more complex and vulnerable to cyberattacks. And new technologies like AI and quantum computing pose new challenges and opportunities for security.<\/p>\n

SDL is now a critical pillar of the Microsoft Secure Future Initiative<\/a>, a multi-year commitment that advances the way we design, build, test, and operate our Microsoft Cloud technology to ensure that we deliver solutions meeting the highest possible standard of security.<\/p>\n

\n
\n
\n
\t\t\t\t\t\"Side\t\t\t\t<\/div>\n
\n
\n

Next generation of the Microsoft SDL<\/h2>\n
\n

Learn how we're tackling security challenges.<\/p>\n<\/p><\/div>\n

\t\t\t\t\t\t\t \t\t\t\t\t\t\t\tRead the white paper<\/span> \t\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n

Continuous evaluation<\/h2>\n

Microsoft has been evolving the SDL to what we call “continuous SDL”. In short, Microsoft now measures security state more frequently and throughout the development lifecycle. Why? Because times have changed, products are no longer shipped on an annual or biannual basis. With the cloud and CI\/CD practices, services are shipped daily or sometimes multiple times a day.<\/p>\n

Data-driven methodology<\/h2>\n

To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from various sources, including code analysis tools like CodeQL. Our compliance engine uses this data to trigger actions when needed.<\/p>\n

\n

CodeQL<\/strong>: A static analysis engine used by developers to perform security analysis on code outside of a live environment.<\/p>\n<\/blockquote>\n

While some SDL controls may never be fully automated, the data-driven methodology helps deliver better security outcomes. In pilot deployments of CodeQL, 92% of action items were addressed and resolved in a timely fashion. We also saw a 77% increase in CodeQL onboarding amongst pilot services.<\/p>\n

Transparent, traceable evidence<\/h2>\n

Software supply chain security has become a top priority due to the rise of high-profile attacks and the increase in dependencies on open-source software. Transparency is particularly important, and Microsoft has pioneered traceability and transparency in the SDL for years. Just as one example, in response to Executive Order 14028<\/a>, we added a requirement to the SDL to generate software bills of material (SBOMs) for greater transparency.<\/p>\n

But we didn\u2019t stop there.<\/p>\n

To provide transparency into how<\/em> fixes happen, we now architect the storage of evidence into our tooling and platforms. Our compliance engine collects and stores data and telemetry as evidence. By doing so, when the engine determines that a compliance requirement has been met, we can point to the data used to make that determination. The output is available through an interconnected \u201cgraph\u201d, which links together various signals from developer activity and tooling outputs to create high-fidelity insights. This helps us give customers stronger assurances of our security end-to-end.<\/p>\n

\"Design,<\/figure>\n

Modernized practices<\/h2>\n

Beyond making the SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices that the SDL is built on to keep up with changing technologies and ensure our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were retired, and 19 received major updates. We\u2019re investing in new threat modeling capabilities, accelerating the adoption of new memory-safe languages, and focusing on securing open-source software and the software supply chain.<\/p>\n

We\u2019re committed to providing continued assurance to open-source software security, measuring and monitoring open-source code repositories to ensure vulnerabilities are identified and remediated on a continuous basis. Microsoft is also dedicated to bringing responsible AI into the SDL, incorporating AI into our security tooling to help developers identify and fix vulnerabilities faster. We\u2019ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.<\/p>\n

By introducing modernized practices into the SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.<\/p>\n

How can continuous SDL benefit you?<\/h2>\n

Continuous SDL can help you in several ways:<\/p>\n