Microsoft Corp. today announced the Secure Future Initiative, a broad internal effort aimed at increasing the security of its products.

The first goal of the project is to reduce the chance that code vulnerabilities will find their way into the company’s software. Additionally, Microsoft is seeking to speed up remediation in cases when a security flaw does enter production. It also plans to enhance certain other parts of its cybersecurity operations, such as the way it manages customer login requests. 

The launch of the initiative follows two high-profile cybersecurity incidents involving the software giant. Earlier this year, a China-linked hacking group used a flaw in Microsoft’s Exchange Online email platform to compromise the inboxes of several U.S. government officials. More recently, cybersecurity startup Wiz Inc. discovered that the company had accidentally exposed 38 terabytes of internal data through a misconfigured GitHub repository.

The first priority of the Secure Future Initiative is to reduce the occurrence of vulnerabilities in Microsoft products. To that end, the company will have its developers increase their use of memory-safe programming languages such as Java, C# and Python. Code written in such languages is less susceptible to certain types of bugs that can be used by hackers to steal data.

The RAM in which an application keeps its data is divided into numerous small segments called buffers. Memory-safe languages automatically manage the movement of data to and from buffers. As a result, developers don’t have to manually write memory management code, which means there are fewer opportunities for vulnerabilities to emerge.

Microsoft also plans to enhance its products’ security in other ways. The company’s developers will more widely adopt CodeQL, an open-source tool built by GitHub that can automatically scan code for vulnerabilities. Additionally, Microsoft will streamline the way it carries out threat modeling, or the process of searching for security flaws in internal systems.

In addition to reducing the number of vulnerabilities that make it to production, Microsoft hopes to more quickly fix the ones its developers don’t catch before release. The company has set a goal of doubling the speed at which it fixes vulnerabilities in its cloud services.

As part of the effort, Microsoft is rolling out a new remediation methodology dubbed dSDL. It relies on CI/CD, or continuous integration and continuous delivery, software to facilitate the quick release of security patches. CI/CD tools enable developers to roll out application updates up to several times a day by automating many of the manual, time-consuming tasks historically involved in deploying software.

“We’re going to apply the concept of continuous integration and continuous delivery (CI/CD) to continuously integrate protections against emerging patterns as we code, test, deploy, and operate,” Charlie Bell, executive vice president of Microsoft Security, wrote in a blog post.

Microsoft’s Secure Future Initiative also has other elements. The company plans to roll out more secure default settings for customers, as well as increase its use of identity libraries such as the Microsoft Authentication Library. Those are software tools that make it more difficult for hackers to sign into customer accounts using stolen or forged login credentials.

Lastly, Microsoft will move the encryption keys it uses to power some of its identity features to an “integrated, hardened Azure HSM.” An HSM, or hardware security module, is a temper-resistant chip or server built specifically to store sensitive data. Microsoft said that the encryption keys in the system will be frequently refreshed to further increase security. 

“Signing keys are not only encrypted at rest and in transit, but also during computational processes as well,” Bell detailed. “Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.”

Photo: efes/Pixabay