Microsoft’s Safe by Design journey: One 12 months of success

Cybersecurity is without doubt one of the prime dangers dealing with companies. Organizations are struggling to navigate the ever-evolving cyberthreat panorama during which 600 million identification assaults are carried out every day.¹ The median time for a cyberattacker to entry personal knowledge from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.² Organizations additionally face unprecedented complexity, making safety jobs tougher—57% of organizations are utilizing greater than 40 safety instruments, which requires vital resourcing and energy to combine workflows and knowledge.³ These challenges are magnified by the worldwide safety expertise scarcity organizations are dealing with and there are greater than 4 million safety jobs unfilled worldwide, rising insider dangers, and the quickly evolving regulatory panorama in the present day.⁴ These cybersecurity challenges can’t solely improve vital enterprise disruptions, they will additionally create devastating financial damages—the price of cybercrime is anticipated to develop at 15% 12 months over 12 months, reaching $15.6 trillion by 2029.⁵ 

In November 2023, to handle the evolution of the digital and regulatory panorama, and the unprecedented modifications within the cyberthreat panorama, we introduced the Microsoft Safe Future Initiative. The Safe Future Initiative (SFI) is a multiyear effort to revolutionize the best way we design, construct, take a look at, and function our services, to realize the very best safety requirements. SFI is our dedication to enhance Microsoft’s safety posture, thereby enhancing the safety posture of all our clients, and to work with governments and business to enhance the safety posture of all the ecosystem.

Final 12 months, the Cybersecurity and Infrastructure Safety Company (CISA), by way of its “Safe by Design” pledge, known as on the know-how business to prioritize safety at each stage of product improvement and deployment. This method of embedding cybersecurity in digital supply from the outset can also be mirrored in the UK’s Authorities’s Cyber Safety Technique in addition to within the Australian Cyber Safety Centre (ACSC)’s “Important Eight” mitigation methods to guard towards cyberthreats. All through this weblog submit, the time period “Safe by Design” encompasses each “safe by design” and “safe by default.”

Microsoft dedicated to work in direction of key objectives throughout a spectrum of Safe by Design ideas advocated by quite a few authorities businesses all over the world. These objectives goal to reinforce safety outcomes for patrons by embedding strong cybersecurity practices all through the product lifecycle. We proceed to take our learnings, feed them again into our safety requirements, and operationalize these learnings as paved paths that may allow safe design and operations at scale. Our SFI updates present examples of Microsoft’s progress in implementing safe by design, safe by default, and safe in operations ideas, and supply finest practices based mostly on Microsoft’s personal expertise, demonstrating our dedication to enhancing safety for patrons.

Preserve studying to be taught concerning the initiatives Microsoft has undertaken over the previous 18 months to help safe by design aims as a part of our SFI initiative. It’s organized round our SFI ideas to supply our clients and companions with an understanding of the strong safety measures we’re implementing to safeguard their digital environments.

Enhancing safety with multifactor authentication and default password administration

Phishing-resistant multifactor authentication supplies probably the most strong protection towards password-based cyberattacks, together with credential stuffing and password theft. This consists of selling multifactor authentication amongst clients, implementing it as a default requirement for entry, and collaborating in efforts to ascertain long-term requirements in authentication.

In October 2024, Microsoft carried out obligatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin heart, and Microsoft Intune admin heart. Since then, Microsoft has labored with our clients to scale back extensions and quickly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords throughout merchandise. Microsoft has launched enhancements to streamline authentication and enhance sign-in experiences, emphasizing usability and safety. Customers can now take away passwords from their accounts and use passkeys as an alternative, addressing vulnerabilities and stopping unauthorized entry.

On March 26, 2025, Microsoft launched a brand new sign-in expertise for greater than 1 billion customers. By the top of April 2025, most Microsoft account customers will see up to date sign-in and sign-up consumer expertise flows for internet and cellular apps. This new consumer expertise is optimized for a passwordless and passkey-first expertise. Microsoft can also be updating the account sign-in logic to make passkey the default sign-in alternative every time doable.

Further examples of Microsoft enhancing authentication and the way clients can be taught from Microsoft’s method and options embody:

• Microsoft suggestions for organizations to get began deploying phishing-resistant passwordless authentication utilizing Microsoft Entra ID.
• Safety defaults make it simpler to assist shield towards identity-related cyberattacks like password spray, replay, and phishing widespread in in the present day’s environments. Be taught extra about preconfigured safety settings out there in Microsoft Entra ID.
• Microsoft’s Conditional Entry makes use of identity-driven alerts as a part of entry management choices.
• To assist forestall phishing, Microsoft added further hardening to Home windows Howdy, which is the multifactor authentication resolution built-in to Home windows. Home windows Howdy has additionally been prolonged to help passkeys, that are an business customary, and which we proceed to evolve. With Howdy and passkeys, on Home windows, it means a lot of the net could be protected with multifactor authentication, and other people now not want to decide on between a easy sign-in and a protected sign-in. 
• Find out how Microsoft is advancing decentralized identification requirements and verifiable credentials.
• Following GitHub’s April 2024 replace on a 12 months of progress in pushing multifactor authentication adoption, additional cohorts requiring multifactor authentication enablement have been rolled out up to now 12 months. This effort continues to drive multifactor authentication utilization with nearly 50% of contributing GitHub customers having multifactor authentication enabled. Of these, greater than 38% of customers have two or extra strategies of two-factor authentication enabled and greater than 3.6 million customers have a passkey enabled on their account. Moreover, GitHub has pushed for finest practices in multifactor authentication strategies, and in November 2024 shipped enhancements to the administration of multifactor authentication settings for organizations and enterprises that permit the restriction of insecure strategies of multifactor authentication equivalent to textual content messaging.

Decreasing complete courses of vulnerabilities

Most exploited vulnerabilities in the present day stem from sorts that may usually be mitigated on a big scale, equivalent to SQL injection, cross-site scripting, and reminiscence security language vulnerabilities. Governments goal to scale back these by encouraging corporations to undertake practices like eliminating authorization validation logic errors, enabling using memory-safe languages, creating safe firmware architectures, and implementing safe administrative protections. The aim is to reduce exploitation dangers by addressing systemic vulnerabilities at their root.

Our introduction of obligatory use of the Microsoft Authentication Library (MSAL) throughout all Microsoft purposes helps make sure that superior identification defenses, equivalent to token binding, steady entry analysis, and superior software assault detections, are constantly carried out. This standardizes safe authentication processes, making it considerably tougher for attackers to take advantage of identity-related vulnerabilities. MSAL permits builders to amass safety tokens from the Microsoft identification platform to authenticate customers and entry secured internet APIs. 

Microsoft can also be dedicated to adopting memory-safe languages, equivalent to Rust, for growing new merchandise and transitioning present ones. This method addresses widespread vulnerabilities associated to reminiscence security. Microsoft is investing closely into protected language to reinforce the protection of our code, and we’re making use of this new method to our safety platform and different key areas like Microsoft Floor and Pluton safety firmware.   

In Home windows 11, we’ve utilized a safe by design technique from the very first line of code. We have now established a {Hardware} Safety Baseline, which helps to make sure each Home windows 11 PC has constant {hardware} safety forming a safe basis. Home windows 11 has safe by default settings and stronger controls for what apps and drivers are allowed to run. That is essential as unverified apps and drivers result in malware and script assaults. And most malware and ransomware apps are unsigned, which implies they are often authored and distributed with out being provably protected. For shoppers and smaller organizations, Good App Management is a brand new characteristic that makes use of cloud AI to allow hundreds of thousands of identified protected apps to run, no matter the place you bought them. For bigger organizations, IT admins can layer on App Management for Enterprise insurance policies and deploy them utilizing Intune.  

With Home windows powering enterprise important options throughout all kinds of consumers, we’re dedicated to serving to make sure that Home windows stays probably the most safe and dependable platform. At Microsoft Ignite in 2024, we introduced the Home windows Resilience Initiative centered on enhancing the safety and resilience of the Home windows working system. This entails implementing superior security measures, enhancing risk detection and response capabilities, and to assist make sure that Home windows can stand up to and get well from cyberattacks. As a part of the Home windows Resilience Initiative, we’re working to guard towards widespread cyberattacks along with strengthening identification safety talked about above.  

As a part of this we’re addressing the long-standing problem of overprivileged customers and purposes, which create vital threat. But many individuals don’t wish to quit admin management of their PC. To assist strike the stability of admin privileges and safety we’re introducing Administrator safety (at the moment in Home windows Insiders). Admin safety offers you the safety of normal consumer permissions by default, and when wanted you possibly can securely authorize a just-in-time system change utilizing Home windows Howdy. As soon as the method has accomplished, the non permanent admin token is destroyed. This implies admin privileges don’t persist.  Admin safety will probably be disruptive to cyberattackers, as they now not have elevated privileges by default, which can assist organizations guarantee they continue to be in charge of Home windows. 

We’re additionally collaborating with endpoint safety companions to undertake protected deployment practices. This implies all safety product updates will probably be gradual, minimizing deployment dangers and monitoring to assist guarantee any unfavourable affect is saved to a minimal. Moreover, we’re growing new Home windows capabilities that permit safety product builders to construct their merchandise outdoors of kernel mode, lowering the affect to Home windows within the occasion of a safety product crash. 

One other key improvement is our safe by design consumer expertise (UX) toolkit. Human error causes the vast majority of safety breaches. The UX toolkit helps construct safer software program and enhance consumer safety experiences. This toolkit represents a brand new mind-set—the place design and safety aren’t siloed however are working collectively from the very starting. Adopted internally and shared externally, the toolkit helps different software program organizations in enhancing their safety practices.

Different actions Microsoft has labored on to eradicate courses of vulnerabilities embody:

• Continued help to allow builders to make use of the reminiscence protected language Rust on Home windows.
• Taking steps to mitigate Home windows NT LAN (NTLM) Relay Assaults by default towards Change Service, Energetic Listing Certificates Providers and Light-weight Listing Entry Protocol (LDAP).
• Zero Belief Area Identify System (DNS) preview expanded to incorporate Home windows 11 enterprise clients. This characteristic helps lock down units to solely access-approved community locations.
• Floor embedded firmware merchandise use of a widespread firmware structure.
• Launch of the Home windows 365 Hyperlink, which is the primary Cloud PC gadget for Home windows 365. Home windows 365 Hyperlink eliminates native knowledge and apps and has no native admin customers and supplies workers a approach to extra securely stream their Home windows 365 Cloud PC.
• GitHub launched CodeQL help for GitHub Actions workflow information. This new static evaluation functionality identifies widespread steady integration and steady supply (CI/CD) flaws each in present code bases and earlier than they’re launched to assist eradicate this class of vulnerabilities. Utilizing this new characteristic, the GitHub Safety Lab was in a position to assist safe greater than 75 GitHub Actions workflows in open supply tasks, disclosing greater than 90 totally different vulnerabilities.

Boosting patch software charges

Well timed and efficient patch administration is critical for cybersecurity, as that is how we will cut back the window of alternative for malicious actors to take advantage of software program flaws.

Microsoft has made measurable will increase within the set up of safety patches, which we achieved by enabling automated set up of software program patches when doable and enabling this performance by default, in addition to by providing widespread help for these patches.

Microsoft continues to roll out main safety updates on the second Tuesday of every month, often called Patch Tuesday. This common schedule ensures that every one methods obtain well timed updates to handle important vulnerabilities, thereby lowering the chance of exploitation by cyberattackers.

Constructing on this basis, Microsoft has made vital strides in enhancing the replace course of with Home windows 11. By lowering the variety of required system restarts from 12 to 4 per 12 months by way of using Hotpatch updates, we now have additional streamlined operations and inspired organizations to stay compliant with patching necessities.

Different examples of our efforts in to spice up patch and safety replace charges embody:

• Home windows Hotpatch: Introduced at Microsoft Ignite 2024, this supplies a 60% discount in time to undertake safety updates, assisted by making use of updates seamlessly with out system restarts.
• Microsoft has emphasised the significance of clearly speaking the anticipated lifespan of merchandise on the time of sale and investing in provisioning capabilities to ease buyer transitions to supported variations when merchandise attain the top of their lifecycle. This technique ensures that clients are well-informed and may easily adapt to new applied sciences.

Adopting a Vulnerability Disclosure Coverage (VDP) and Widespread Vulnerabilities and Exposures (CVE) 

Coordinated vulnerability disclosure, a apply Microsoft adopted greater than a decade in the past, advantages each safety researchers and software program producers by enabling collaboration to reinforce product safety. A VDP that authorizes public testing of merchandise, commits to refraining from authorized motion towards those that comply with the VDP in good religion, supplies a transparent channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities in accordance with coordinated vulnerability disclosure finest practices and worldwide requirements makes an actual distinction for cybersecurity. Moreover, producers can display transparency by together with correct Widespread Weak spot Enumeration (CWE) and Widespread Platform Enumeration (CPE) fields in each CVE document for the producer’s merchandise.

Our adoption of the CWE and CPE requirements in each CVE document for its merchandise is a vital achievement. This transparency facilitates correct and detailed details about vulnerabilities, facilitating well timed and efficient remediation. By issuing CVEs promptly for all important or high-impact vulnerabilities, Microsoft demonstrates its dedication to sustaining a safe atmosphere and defending its clients from potential cyberthreats.

One other notable spotlight is the publication of a machine-readable CSAF information, which give a transparent channel for reporting vulnerabilities and authorizes public testing of Microsoft merchandise. This fosters collaboration between safety researchers and software program producers, enabling the identification and mitigation of vulnerabilities in a coordinated method.

Different actions Microsoft has labored on to undertake VDP and CVE embody:

Empowering clients to detect and doc intrusions

Organizations ought to do extra to detect cybersecurity incidents and perceive their affect. To make sure they will do this, producers ought to present artifacts and evidence-gathering instruments, like audit logs.

An instance of Microsoft’s dedication on this space is our implementation of sturdy sensors and logs, enhancing detection of cyberthreats. This initiative supplies clients with actionable insights into potential intrusions, enabling swift responses and threat mitigation.

Different actions Microsoft has labored on to empower clients to detect and doc inclusions embody:

• Microsoft Purview has expanded its audit logging and retention intervals, amongst different safety enhancements, to extend safety visibility and incident response capabilities for cloud-based companies.
• Microsoft Safety Copilot gives prebuilt promptbooks to automate security-related duties, equivalent to incident investigations, consumer evaluation, and risk intelligence assessments, enhancing effectivity and accuracy in cybersecurity operations.
• Microsoft has supplied detailed steering on implementing the United States Division of Protection (DoD) Zero Belief Technique, with actions categorized into goal and superior phases to realize full Zero Belief adoption by 2032.
• Microsoft’s Expanded Cloud Logs Implementation Playbook supplies detailed steering on operationalizing new logging capabilities in Microsoft Purview Audit (Commonplace).
• Microsoft has revealed a whitepaper on classes discovered from crimson teaming greater than 100 generative AI merchandise at Microsoft. The whitepaper highlights the significance of understanding AI methods, breaking them with out computing gradients, and the need of human involvement in AI crimson teaming, amongst different subjects.

GitHub shipped enhanced capabilities to the GitHub audit log to supply clients with elevated visibility of API occasions and options to allow enterprise administration, automation, and integration.

To be taught extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our professional protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the newest information and updates on cybersecurity.

---

¹Microsoft Digital Protection Report 2024.

²Microsoft Digital Protection Report 2022.

³IDC North America Instruments and Distributors Consolidation Survey, 2023.

⁴2024 ISC2 Cybersecurity Workforce Research.

⁵International cybercrime estimated price 2029.