![]() Presidential Executive Order 14028, Microsoft incorporated its Secure Supply Chain requirements into the SDL. Most recently, and in alignment with the U.S. Since its inception, the SDL requirements have evolved along with software development practices (such as Agile) and with changes in technology (Cloud, AI/ML). The Microsoft SDL was originally focused on secure design and secure coding practices. ![]() Using the SDL to Secure our Software Supply Chain This diagram represents how our security frameworks and our software development platforms come together. This article focuses on a single aspect of an overall software supply chain: securing the production and consumption of software throughout the software development lifecycle (SDLC) to maintain the trust of our downstream consumers. The software supply chain is a vast, global landscape comprised of an interconnected web of software producers and consumers. Simplifying the Complex: How we model the space We then used the risk scores to determine which security investments to prioritize so we could systematically drive down risk. This helped us establish a list of requirements for securing the software supply chain that exceeds what was required by the U.S. This enabled us to enumerate all the threats to the engineering system using real-world threat reports, and calculated risk scores for each. We constructed a threat model of Microsoft’s engineering system – the Continuous Integration / Continuous Deployment (CI/CD) platform, identities, and all connected devices (such as Microsoft Dev Box and GitHub Codespaces) used by our developers. Put simply, as seen with incidents such as Solorigate and 3CX, attackers have been shifting left earlier in the software development lifecycle. These types of threats primarily target developers and the systems that developers use. An example of this would be compromising a popular open source component so that as developers around the world consume the latest version, they unknowingly ingest a malicious or backdoored package. The first is an initial compromise in the hope of compromising a downstream consumer. Understanding the Supply Chain ThreatĪ supply chain attack is usually characterized as “two (or more) separate attacks”. It’s a continuation of the journey we embarked upon since the launch of Security Development Lifecycle (SDL) in 2004 and represents our commitment to continually enhance Microsoft’s foundational security. A secure software supply chain represents another facet of Microsoft’s built-in security to enhance and maintain trust in our products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |