Two decades of evolution

It’s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)—a set of practices and tools that help developers build more secure software, now used industry-wide. Mirroring the culture of Microsoft to uphold security and born out of the Trustworthy Computing initiative, the aim of SDL was—and still is—to embed security and privacy principles into technology from the start and prevent vulnerabilities from reaching customers’ environments.

In 20 years, the goal of SDL hasn’t changed. But the software development and cybersecurity landscape has—a lot.

With cloud computing, Agile methodologies, and continuous integration/continuous delivery (CI/CD) pipeline automation, software is shipped faster and more frequently. The software supply chain has become more complex and vulnerable to cyberattacks. And new technologies like AI and quantum computing pose new challenges and opportunities for security.

SDL is now a critical pillar of the Microsoft Secure Future Initiative, a multi-year commitment that advances the way we design, build, test, and operate our Microsoft Cloud technology to ensure that we deliver solutions meeting the highest possible standard of security.

Next generation of the Microsoft SDL

Learn how we're tackling security challenges.

Read the white paper

Continuous evaluation

Microsoft has been evolving the SDL to what we call “continuous SDL”. In short, Microsoft now measures security state more frequently and throughout the development lifecycle. Why? Because times have changed, products are no longer shipped on an annual or biannual basis. With the cloud and CI/CD practices, services are shipped daily or sometimes multiple times a day.

Data-driven methodology

To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from various sources, including code analysis tools like CodeQL. Our compliance engine uses this data to trigger actions when needed.

CodeQL: A static analysis engine used by developers to perform security analysis on code outside of a live environment.

While some SDL controls may never be fully automated, the data-driven methodology helps deliver better security outcomes. In pilot deployments of CodeQL, 92% of action items were addressed and resolved in a timely fashion. We also saw a 77% increase in CodeQL onboarding amongst pilot services.

Transparent, traceable evidence

Software supply chain security has become a top priority due to the rise of high-profile attacks and the increase in dependencies on open-source software. Transparency is particularly important, and Microsoft has pioneered traceability and transparency in the SDL for years. Just as one example, in response to Executive Order 14028, we added a requirement to the SDL to generate software bills of material (SBOMs) for greater transparency.

But we didn’t stop there.

To provide transparency into how fixes happen, we now architect the storage of evidence into our tooling and platforms. Our compliance engine collects and stores data and telemetry as evidence. By doing so, when the engine determines that a compliance requirement has been met, we can point to the data used to make that determination. The output is available through an interconnected “graph”, which links together various signals from developer activity and tooling outputs to create high-fidelity insights. This helps us give customers stronger assurances of our security end-to-end.

Modernized practices

Beyond making the SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices that the SDL is built on to keep up with changing technologies and ensure our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were retired, and 19 received major updates. We’re investing in new threat modeling capabilities, accelerating the adoption of new memory-safe languages, and focusing on securing open-source software and the software supply chain.

We’re committed to providing continued assurance to open-source software security, measuring and monitoring open-source code repositories to ensure vulnerabilities are identified and remediated on a continuous basis. Microsoft is also dedicated to bringing responsible AI into the SDL, incorporating AI into our security tooling to help developers identify and fix vulnerabilities faster. We’ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.

By introducing modernized practices into the SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.

How can continuous SDL benefit you?

Continuous SDL can help you in several ways:

• Peace of mind: You can continue to trust that Microsoft products and services are secure by design, by default, and in deployment. Microsoft follows the continuous SDL for software development to continuously evaluate and improve its security posture.
• Best practices: You can learn from Microsoft’s best practices and tools to apply them to your own software development. Microsoft shares its SDL guidance and resources with the developer community and contributes to open-source security initiatives.
• Empowerment: You can prepare for the future of security. Microsoft invests in new technologies and capabilities that address emerging threats and opportunities, such as post-quantum cryptography, AI security, and memory-safe languages.

Where can you learn more?

For more details and visual demonstrations on continuous SDL, read the full white paper by SDL pioneers Tony Rice and David Ornstein.

Learn more about the Secure Future Initiative and how Microsoft builds security into everything we design, develop, and deploy.

The post Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software appeared first on Microsoft Security Blog.

While hospitals continue to battle the COVID-19 pandemic, many are battling other “viruses” behind the scenes. Malware, ransomware, and phishing attacks against healthcare delivery organizations are on the rise with many increasing in severity, exposure, and ramifications. An estimated 560 US healthcare targets were impacted by ransomware in 2020, with many of these targets being large conglomerates consisting of hundreds of hospitals.

Most cyberattacks against hospitals originate with or involve unmanaged IoT and medical devices, resulting in prolonged undetected breaches at the device, network, and perimeter levels. In fact, 63 percent of healthcare organizations experienced a security incident related to unmanaged IoT devices in the past two years. These gaps expose the most important elements of a hospital’s healthcare delivery mission.

Healthcare organizations are one of the biggest targets for online attacks. The most common attacks involve stealing patient data to derive financial gain. However, as the stakes rise and the attacks become more brazen, patient lives are now at risk.

The current state of cybersecurity in hospitals

Inherent vulnerabilities are an easy target for bad actors, and many hospital networks lack asset visibility and cybersecurity protection to effectively defend their networks. Currently, hospitals are experiencing:

• A shortage of cybersecurity talent: A lack of cybersecurity expertise has been a long-standing issue throughout the healthcare industry-leading organizations to rely heavily on third-party providers, software, and hardware to make up for the gap.
• Confusing regulatory requirements: A disconnect between the intentions of regulators and the nature of cybersecurity continues to drive vulnerabilities. Regulation is designed to prevent past occurrences from recurring and as such is fundamentally retrospective.
• Minimal software updating and security patching: Updating software and implementing security patches is critical to preventing many cyberattacks and yet device management within the industry is significantly lacking. In fact, 60 percent of medical devices are at the end-of-life stage with no patches or upgrades available.
• A proliferation of connected devices: More connected devices come into hospitals every year and the trend is only growing. More than 400 million connected medical devices are already operational worldwide, with another 125 million or so expected to come online in the next year.

Nursing the industry back to health

To effectively protect and defend hospitals from these attacks, a multi-layered approach and best-of-breed solution is required. Microsoft Defender for Endpoint is a complete security solution that protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. Complementary to this, the CyberMDX Healthcare Security Suite gets more granular and healthcare-specific by identifying, categorizing, and protecting connected medical devices—ensuring resiliency, as well as patient safety and data privacy.

Coupling the CyberMDX solution’s visibility and detection capabilities for unmanaged healthcare devices, together with Microsoft Defender for Endpoint single pane of glass view, healthcare organizations are equipped with unmatched cross-platform and device visibility, classification, and incident response capabilities.

With this combined solution, a large hospital network in the US was able to secure 100 plus connected device types across 26 locations. They were able to:

• Gain full discovery of all the connected (managed and unmanaged) devices in their network, whether medical devices, IoT, workstations, mobile and more.
• Automatically apply a risk profile to each connected asset and alert the security team of any malicious activity.
• Gain insight into device utilization metrics.
• Automatically track medical device recalls.

The solution also provided customized reports to IT, biomed, compliance, and executives, and instantly highlighted security issues related to ePHI, patient safety, and internet exposure. The hospital staff also utilized the comprehensive dashboards and reports for clinical network and medical device security, helping the IT and security teams to share information and collaborate more than they had in the past. The solution helped ensure patient safety and improved care so they could get back to what was important—saving lives.

The security of connected medical and IoT devices is a serious concern and attacks can come from anywhere. Together, CyberMDX and Microsoft provide a holistic view of all managed and unmanaged medical devices in a single dashboard; making hospitals safer and more efficient, so they can go back to focusing on their patients and saving lives.

Learn more

Explore CyberMDX. Visit the CyberMDX listing in the Azure Marketplace or visit our web page.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CyberMDX and Microsoft: Protecting life-saving medical devices appeared first on Microsoft Security Blog.

We want to help companies overcome that challenge. Many of you already use Microsoft Information Protection to help you to protect the sensitive data that resides in Microsoft 365 and have asked us to extend the reach of Microsoft Information Protection beyond Microsoft 365 to cover more of your digital estate. Today we are excited to announce Azure Purview, a unified data governance service that sets the foundation for data governance across your operational and analytical data estate that is available today in preview. Let’s dive into what that means for your organization.

Manage and govern your data with Azure Purview

Azure Purview enables you to map, catalog, understand, classify, and manage your operational and analytical data—whether on-premises, across your multicloud environment, or within SaaS applications.

With Azure Purview Data Map, you can automate the metadata scanning of on-premises, multicloud, and SaaS data and applications so that you can find and classify this data using built-in, custom classifiers, and Microsoft Information Protection sensitivity labels. With Purview Data Catalog, you can now search, understand the underlying sensitivity, and view how data is being used across the organization with data lineage.

Building on the power of Microsoft Information Protection

At Microsoft, we have long invested in developing information protection solutions for our customers. We started with Microsoft Information Protection, a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, Outlook), services (such as Microsoft Teams, SharePoint, Exchange, Power BI), third-party SaaS applications, and more—on-premises or in the cloud.

Azure Purview builds on the same sensitivity labels and data classification taxonomy in Microsoft Information Protection. By extending Microsoft Information Protection’s sensitivity labels with Azure Purview, organizations can now automatically discover, classify, and get insight into sensitivity across a broader range of data sources such as SQL Server, SAP, Teradata, Azure Data Services, and Amazon AWS S3, helping to minimize compliance risk. For more details about how Microsoft Information Protection and Azure Purview work together, check out this Tech Community blog.

Microsoft 365 compliance center and Azure Purview Studio show how an organization’s labels are used consistently across data types and data locations.

Governing your data, wherever it lives, is more critical than ever before, and we are committed to helping you every step of the way. To get started right now with Microsoft Information Protection, you can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center. To start using the preview of Azure Purview, visit the Azure Purview page.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Manage, govern, and get more value out of your data with Azure Purview appeared first on Microsoft Security Blog.

While cloud-delivered protections and AI advancements to the Windows OS have made it increasingly more difficult and expensive for attackers, they are rapidly evolving, moving to new targets: the seams between hardware and software that can’t currently be reached or monitored for breaches. We have already taken steps to combat these sophisticated cybercriminals and nation state actors with our partners through innovations like secured-core PCs that offer advanced identity, OS, and hardware protection.

Today, Microsoft alongside our biggest silicon partners are announcing a new vision for Windows security to help ensure our customers are protected today and in the future. In collaboration with leading silicon partners AMD, Intel, and Qualcomm Technologies, Inc., we are announcing the Microsoft Pluton security processor. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.

Our vision for the future of Windows PCs is security at the very core, built into the CPU, where hardware and software are tightly integrated in a unified approach designed to eliminate entire vectors of attack. This revolutionary security processor design will make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs.

Pluton design redefines Windows security at the CPU

Today, the heart of operating system security on most PCs lives in a chip separate from the CPU, called the Trusted Platform Module (TPM). The TPM is a hardware component which is used to help securely store keys and measurements that verify the integrity of the system. TPMs have been supported in Windows for more than 10 years and power many critical technologies such as Windows Hello and BitLocker. Given the effectiveness of the TPM at performing critical security tasks, attackers have begun to innovate ways to attack it, particularly in situations where an attacker can steal or temporarily gain physical access to a PC. These sophisticated attack techniques target the communication channel between the CPU and TPM, which is typically a bus interface. This bus interface provides the ability to share information between the main CPU and security processor, but it also provides an opportunity for attackers to steal or modify information in-transit using a physical attack.

The Pluton design removes the potential for that communication channel to be attacked by building security directly into the CPU. Windows PCs using the Pluton architecture will first emulate a TPM that works with the existing TPM specifications and APIs, which will allow customers to immediately benefit from enhanced security for Windows features that rely on TPMs like BitLocker and System Guard. Windows devices with Pluton will use the Pluton security processor to protect credentials, user identities, encryption keys, and personal data. None of this information can be removed from Pluton even if an attacker has installed malware or has complete physical possession of the PC.

This is accomplished by storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helping to ensure that emerging attack techniques, like speculative execution, cannot access key material. Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.

The Pluton security processor complements work Microsoft has done with the community, including Project Cerberus, by providing a secure identity for the CPU that can be attested by Cerberus, thus enhancing the security of the overall platform.

One of the other major security problems solved by Pluton is keeping the system firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread patching issues.  Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.

The fusion of Microsoft’s OS security improvements, innovations like secured-core PCs and Azure Sphere, and hardware innovation from our silicon partners provides the capability for Microsoft to protect against sophisticated attacks across Windows PCs, the Azure cloud, and Azure intelligent edge devices.

Innovating with our partners to enhance chip-to-cloud security

The PC owes its success largely to an immensely vibrant ecosystem with OS, silicon, and OEM partners all working together to solve tough problems through collaborative innovation. This was demonstrated over 10 years ago with the successful introduction of the TPM, the first broadly available hardware root of trust. Since that milestone, Microsoft and partners have continued to collaborate on next generation security technologies that take full advantage of the latest OS and silicon innovations to solve the most challenging problems in security. This better together approach is how we intend to make the PC ecosystem the most secure available.

The Microsoft Pluton design technology incorporates all of the learnings from delivering hardware root-of-trust-enabled devices to hundreds of millions of PCs. The Pluton design was introduced as part of the integrated hardware and OS security capabilities in the Xbox One console released in 2013 by Microsoft in partnership with AMD and also within Azure Sphere. The introduction of Microsoft’s IP technology directly into the CPU silicon helped guard against physical attacks, prevent the discovery of keys, and provide the ability to recover from software bugs.

With the effectiveness of the initial Pluton design we’ve learned a lot about how to use hardware to mitigate a range of physical attacks. Now, we are taking what we learned from this to deliver on a chip-to-cloud security vision to bring even more security innovation to the future of Windows PCs (more details in this talk from Microsoft BlueHat). Azure Sphere leveraged a similar security approach to become the first IoT product to meet the “Seven properties of highly secure devices.”

The shared Pluton root-of-trust technology will maximize the health and security of the entire Windows PC ecosystem by leveraging the security expertise and technologies from the companies involved. The Pluton security processor will provide next generation hardware security protection to Windows PCs through future chips from AMD, Intel, and Qualcomm Technologies.

“At AMD, security is our top priority and we are proud to have been at the forefront of hardware security platform design to support features that help safeguard users from the most sophisticated attacks. As a part of that vigilance, AMD and Microsoft have been closely partnering to develop and continuously improve processor-based security solutions, beginning with the Xbox One console and now in the PC. We design and build our products with security in mind and bringing Microsoft’s Pluton technology to the chip level will enhance the already strong security capabilities of our processors.” – Jason Thomas, head of product security, AMD

“Intel continues to partner with Microsoft to advance the security of Windows PC platforms. The introduction of Microsoft Pluton into future Intel CPUs will further enable integration between Intel hardware and the Windows operating system.” – Mike Nordquist, Sr. Director, Commercial Client Security, Intel

“Qualcomm Technologies is pleased to continue its work with Microsoft to help make a slew of devices and use cases more secure. We believe an on-die, hardware-based Root-of-Trust like the Microsoft Pluton is an important component in securing multiple use cases and the devices enabling them.” – Asaf Shen, senior director of product management at Qualcomm Technologies, Inc.

We believe that processors with built-in security like Pluton are the future of computing hardware. With Pluton, our vision is to provide a more secure foundation for the intelligent edge and the intelligent cloud by extending this level of built-in trust to devices, and things everywhere.

Our work with the community helps Microsoft continuously innovate and enhance security at every layer. We’re excited to make this revolutionary security design a reality with the biggest names in the silicon industry as we continuously work to enhance security for all.

Listen to the Security Unlocked podcast

Hear more from the author of this blog on episode #14 of Security Unlocked. Subscribe for new episodes each week covering the latest in security news.

Listen now

The post Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs appeared first on Microsoft Security Blog.

A Microsoft account is free and you can use it to:

• Purchase apps from the Windows Store
• Back up all your data using free cloud storage
• Keep all your devices, photos, friends, games, settings, music, up to date and in sync.

5 ways to help protect your Microsoft account

1. Create a strong password. Strong passwords use a combination of uppercase and lowercase letters, numerals, punctuation marks, and symbols. The longer the better, and don’t use personal information (such as a pet’s name, nickname, or driver’s license number) that can be easily guessed.
2. Protect your password. Don’t use the same password you use on other sites, and remember to change your Microsoft account password (as well as other passwords) regularly. Watch out for email social engineering scams designed to trick you into turning over your password to a cybercriminal.
3. Enable two-step verification. Two-step verification uses two ways to verify your identity whenever you sign in to your Microsoft account. Two-step verification is optional, but we recommend that you use it. Learn how to turn it on.
4. Make sure the security information associated with your account is current. If the alternate email address or phone number you’ve given us changes, update the settings of your account so that we can contact you if there’s a problem.
5. Watch out for phishing scams. If you receive an email message about the security of your Microsoft account, it could be a phishing scam. Don’t click links in any messages unless you trust or check with the sender.

Don’t have a Microsoft account yet? See How do I sign up for a Microsoft account?

The post 5 ways to protect your Microsoft account appeared first on Microsoft Security Blog.

Control the content your children play and watch

Customize your children’s access to specifically rated games, movies, TV shows, and music according to their ages. By default, if the child is under 8 years of age, Access to content is set to “off.”

Filter the web

Parental controls let you determine what kinds of websites children can view in the Xbox One Internet Explorer app.

Manage what your children download and buy

Xbox One enables you to control what kinds of apps each child may download from the Xbox store. The setting options are:

• Blocked (none)
• Free apps only
• Free or paid apps

For more information:

• About the core family safety features of Xbox One
• Manage privacy and safety for Xbox One

The post Parental controls in Xbox One appeared first on Microsoft Security Blog.