Microsoft pledges a dramatic software security overhaul, as Amazon veteran shakes the tree
Biggest overhaul of Redmond's security in 20 years sees promises of "code analysis [of] 100% of commercial product”, cryptographic keys to be kept in a hardened Azure HSM, more.
Microsoft has vowed to radically overhaul how it builds and deploys software in a bid to improve product and cloud security, under a sweeping new cybersecurity project, the Secure Future Initiative (SFI).
It has also promised, in the wake of the theft of a Microsoft key later used to breach the mail servers of multiple US agencies, to move all such keys to a hardened Azure Hardware Security Module (HSM) and automatically rotate keys at high-frequency with “no potential for human access.”
The announcement, made to all staff in an email (published in full here) from Charlie Bell, EVP, Microsoft Security, represents the biggest overhaul of Redmond’s security and development efforts in nearly 20 years – when it launched its Security Development Lifecycle (SDL) in the wake of a string of impactful attacks on Windows 2000 and Windows XP PCs.
Bell was hired from Amazon in 2021 after 23 years at the company (where he was Director of Software Engineering) and has brought welcome fresh eyes to Microsoft's processes from its biggest cloud rival
The move comes amid growing pressure on software companies from regulators to improve product security, after years of regulation that have made demands on downstream users but none on vendors (e.g. NIS.)
As the Cybersecurity and Infrastructure Security Agency (CISA) recently put it: “As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives.”
Microsoft leaders call for “your constant attention to security in everything you build and operate”
Bell promised the use of “automation and AI” in developing software “that is secure by design, by default, in deployment, and in operation.”
“Microsoft invented the Security Development Lifecycle (SDL) and made it a bedrock principle of software trust and engineering. We will evolve it to “dynamic SDL” (dSDL)...we’re going to apply the concept of continuous integration and continuous delivery (CI/CD) to continuously integrate protections against emerging patterns as we code, test, deploy, and operate. Think of it as continuous integration and continuous security.”
More specifically he promised to (edited for brevity):
- “Accelerate and automate threat modeling, deploy CodeQL a [code analysis engine developed by GitHub to automate security checks] for code analysis to 100 percent of commercial product”
- “Accelerate security defaults across the board” including but also going beyond Multi-Factor Authentication (MFA)
- “Implement our Azure tenant baseline controls (99 controls across nine security domains) by default across our internal tenants automatically” (something that recognises this has not happened…)
- “Enforce the use of standard identity libraries (such as Microsoft Authentication Library) across all of Microsoft, which implement advanced identity defenses like token binding, continuous access evaluation, advanced application attack detections…”
- “Expand Microsoft’s use of memory safe languages (such as C#, Python, Java, and Rust), building security in at the language level”
Bell wrote in the wake of a series of successful attacks on Microsoft and severe incidents that have had significant downstream impact and/or vulnerabilities that raised some serious concerns about its architectural choices in the cloud as well as infuriated customers already grappling with the inadequacies of native tools to enforce secure Active Directory
Some recent Microsoft security highlights
> Hackers stole a powerful cryptographic key from Microsoft systems, used it to forge authentication tokens to access enterprise email servers and breached multiple federal agencies’ mail servers on the back of what The Stack described as “a strange concatenation of security failings”
> Extraordinarily, that acquired signing key was issued in April 2016 and expired in April 2021, but remained valid until it was finally rotated in July 2023 following Microsoft’s investigation of this incident.
> Vulnerabilities in Microsoft Exchange server were so widely exploited that multiple threat actors from financially motivated cybercriminals to state-sponsored APTs fought it out for control of exposed instances
> Private key data was found being stored in plaintext by four key Azure services in the keyCredentials property of an Azure AD application
> An Azure Active Directory bug let an attacker gain target account takeover by simply replacing an email address – in their own Azure AD
> A misconfigured Azure storage bucket exposed 2.4TB of Microsoft customer information, including emails and signed documents.
> Microsoft AI researchers exposed 38TB of data including employees’ personal computer backups, passwords to Microsoft services and secret keys for three years in a major security blunder that could also have let a malicious attacker inject malicious code into exposed AI models.
> A critical vulnerability in a driver used to connect AWS and Azure data services allowed an attacker to perform remote command execution (RCE) across infrastructure to reach other Azure tenants, or customers.
> A cryptographic key rotation and subsequent authentication issue inside Microsoft took down Azure services for millions
Contextualising the launch of Microsoft’s Secure Future Initiative (as Bell told staff “all of you will be engaged [with] constant attention to security in everything you build and operate”) President Brad Smith said: “In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response…”
Highlighting the changes Bell mentioned to secure development, he added: “We are pushing the envelope in vulnerability response and security updates for our cloud platforms. We plan to cut the time it takes to mitigate cloud vulnerabilities by 50%” and reiterated plans to enforce more MFA, saying: “Over the next year we will enable customers with more secure default settings for MFA out-of-the-box. This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.
Smith added: "We are keenly sensitive to the impact of such changes on legacy computing infrastructure, and hence we will focus on both new engineering work and expansive communications to explain where we are focused on these default settings and the security benefits this will create.”