Microsoft is overhauling its software security after major Azure cloud attacks

Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we’ve ever seen. Then, 30,000 organizations’ email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren’t enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It’s the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft president Brad Smith has been warning about the increase in cyberattacks for years.
Photo by Pedro Fiúza / NurPhoto via Getty Images

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands.

In an internal memo to Microsoft’s engineering teams today, the company’s leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of “blatantly negligent” cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

“Satya Nadella, Rajesh Jha, Scott Guthrie, and I have put significant thought into how we should respond to the increasingly more sophisticated threats,” explains Charlie Bell, head of Microsoft security, in an internal memo distributed today. “To this end, we have committed to three specific engineering advances we are taking on our journey of continually improving the built-in security of our products and platforms. These advances comprise what we’re calling the Secure Future Initiative. Collectively, they improve security for customers both in the near term and against threats we know will increase over the horizon.”

The first big change is how Microsoft develops its software. The company will rely on more automation and AI to catch security risks and vulnerabilities. This includes leveraging CodeQL, the code analysis engine developed by GitHub, to automate security checks…