da Agency

Microsoft joins the FinOps Foundation

In today’s economic times, the criticality of cost efficiency is at an all-time high. Organizations need high-quality guidance backed by products and services that help you achieve and maintain that efficiency. This is a large part of what we do today within the Cost Management team and the larger Commerce organization here at Microsoft. In that vein, we are excited to announce that Microsoft has joined the FinOps Foundation as a premier member and has joined the Governing Board defining the strategy and vision of the organization. Together, we can deliver unparalleled guidance and innovative solutions that empower organizations to increase efficiency and accelerate growth.

"I’m very enthusiastic about our partnership with the FinOps Foundation and our membership as part of the FinOps community. Optimizing cloud workloads is more important than ever for companies of all sizes in all industries. For Microsoft this collaboration with the FinOps Foundation and our industry partners will empower Microsoft Cloud customers and partners to leverage the cost management best practices and industry-standard operating procedures cultivated by the FinOps community." —Vivek Dalvi, Corporate Vice President, Commerce Platform and Experiences

What is the FinOps Foundation?

The FinOps Foundation is a non-profit organization hosted at the Linux Foundation dedicated to advancing people who practice the discipline of cloud financial management via best practices, education, and standards. The FinOps Foundation community is made up of practitioners around the world, including many of our valued Microsoft Cloud customers and partners. The FinOps Foundation hosts working groups and special interest groups covering topics like cost and usage data standardization, containers and Kubernetes, and sustainability based on real-world stories and expertise from the community.

“Microsoft is a bellwether technology leader who is aligned to our vision of accelerating the growth of FinOps practitioners with its presence, leadership, and innovation. We welcome Microsoft as a Premier Member as its membership will be a huge asset to the larger FinOps community and development and maturation of best practices across industries and the world.” —JR Storment, Executive Director of the FinOps Foundation.

Microsoft and the FinOps Foundation

My colleague, Jimin Li, joined the Foundation Governing Board in January and we’ve already begun participating in working groups and special interest groups, but that’s just the beginning. As we look toward our future as part of the FinOps Foundation, we’re exploring five primary focus areas over the coming months:

Defining specifications and evolving best practices

We are excited to join the FinOps Foundation and our industry partners in defining, evangelizing, and implementing best practices and specifications like the FinOps Open Cost and Usage Specification (FOCUS). We’re already actively contributing to this program and looking forward to sharing our joint developments broadly.

Aligning our collective guidance

We offer a wealth of guidance from architecture documentation, like Microsoft Cloud Adoption Framework and Azure Well-Architected Framework, to our products, like Microsoft Cost Management and Azure Advisor. While we tell the same underlying story as the FinOps Foundation, we believe the closer our guidance is aligned to the FinOps Framework, the easier it will be for individuals and organizations to understand and implement. As a first step, I’ve contributed to the second edition of the O’Reilly Cloud FinOps book.

Improving our products and services

Similar to how we plan to align our guidance, we see opportunities to align our products and services to the FinOps Framework while learning more about customer needs from the vibrant multicloud community of practitioners in the FinOps Foundation forums. We view this as an end-to-end experience for people and organizations to adopt and for many, that can sometimes start and end with the product itself. We aim to be good citizens in the community by contributing and listening.

Advancing training and certification programs

The FinOps Foundation offers several great training and certification programs, such as the FinOps Certified Practitioner and FinOps Certified Professional, geared towards helping people advance within their careers and growing the community at large. We look forward to working with the FinOps Foundation to improve material specifically focused on the Microsoft Cloud and to certify relevant Microsoft teams in FinOps.

 

Fun fact: Microsoft has the largest number of FinOps Certified Professionals at any organization in the world!

 

Engaging with the community

I’ve mentioned the FinOps Foundation community several times now, but I’m not sure I’ve really done it justice. With over 8,700 members and growing rapidly, the community behind the FinOps Foundation is truly the driving force of the success of the organization. We are extremely enthusiastic about this opportunity to collaborate with and learn from this passionate community as we engage in various programs and initiatives, like the upcoming FinOps X conference where Microsoft is a platinum sponsor. The more we learn, the better we can support you and help you achieve more.

What’s next?

We’re looking forward to the many exciting opportunities ahead of us as we partner with FinOps Foundation, seeking to make cost management and optimization—or "FinOps"—easier to adopt and implement within the Microsoft Cloud. We only scratched the surface here, so stay tuned by following Cost Management updates over the coming months.

To learn more about FinOps Foundation and to participate in the community, please join us at finops.org or in person at FinOps X in June.
Quelle: Azure

da Agency

Microsoft Azure Security expands variant hunting capacity at a cloud tempo

In the first blog in this series, we discussed our extensive investments in securing Microsoft Azure, including more than 8500 security experts focused on securing our products and services, our industry-leading bug bounty program, our 20-year commitment to the Security Development Lifecycle (SDL), and our sponsorship of key Open-Source Software security initiatives. We also introduced some of the updates we are making in response to the changing threat landscape including improvements to our response processes, investments in Secure Multitenancy, and the expansion of our variant hunting efforts to include a global, dedicated team focused on Azure. In this blog, we’ll focus on variant hunting as part of our larger overall security program.

Variant hunting is an inductive learning technique, going from the specific to the general. Using newly discovered vulnerabilities as a jumping-off point, skilled security researchers look for additional and similar vulnerabilities, generalize the learnings into patterns, and then partner with engineering, governance, and policy teams to develop holistic and sustainable defenses. Variant hunting also looks at positive patterns, trying to learn from success as well as failure, but through the lens of real vulnerabilities and attacks, asking the question, “why did this attack fail here, when it succeeded there?”

In addition to detailed technical lessons, variant hunting also seeks to understand the frequency at which certain bugs occur, the contributing causes that permitted them to escape SDL controls, the architectural and design paradigms that mitigate or exacerbate them, and even the organizational dynamics and incentives that promote or inhibit them. It is popular to do root cause analysis, looking for the single thing that led to the vulnerability, but variant hunting seeks to find all of the contributing causes.

While rigorous compliance programs like the Microsoft SDL define an overarching scope and repeatable processes, variant hunting provides the agility to respond to changes in the environment more quickly. In the short term, variant hunting augments the SDL program by delivering proactive and reactive changes faster for cloud services, while in the long term, it provides a critical feedback loop necessary for continuous improvement. 

Leveraging lessons to identify anti-patterns and enhance security

Starting with lessons from internal security findings, red team operations, penetration tests, incidents, and external MSRC reports, the variant hunting team tries to extract the anti-patterns that can lead to vulnerabilities. In order to be actionable, anti-patterns must be scoped at a level of abstraction more specific than, for example, “validate your input” but less specific than “there’s a bug on line 57.” 

Having distilled an appropriate level of abstraction, variant hunting researchers look for instances of the anti-pattern and perform a deeper assessment of the service, called a “vertical” variant hunt. In parallel, the researcher investigates the anti-pattern’s prevalence across other products and services, conducting a “horizontal” variant hunt using a combination of static analysis tools, dynamic analysis tools, and skilled review.

Insights derived from vertical and horizontal variant hunting inform architecture and product updates needed to eliminate the anti-pattern broadly. Results include improvements to processes and procedures, changes to security tooling, architectural changes, and, ultimately, improvements to SDL standards where the lessons rapidly become part of the routine engineering system.

For example, one of the static analysis tools used in Azure is CodeQL. When a newly identified vulnerability does not have a corresponding query in CodeQL the variant hunting team works with other stakeholders to create one. New “specimens”—that is, custom-built code samples that purposely exhibit the vulnerability—are produced and incorporated into a durable test corpus to ensure learnings are preserved even when the immediate investigation has ended. These improvements provide a stronger security safety net, helping to identify security risks earlier in the process and reducing the re-introduction of known anti-patterns into our products and services.

Azure Security's layered approach to protecting against server-side threats

Earlier in this series, we highlighted security improvements in Azure Automation, Azure Data Factory, and Azure Open Management Infrastructure that arose from our variant hunting efforts. We would call those efforts “vertical” variant hunting.

Our work on Server-Side Request Forgery (SSRF) is an example of “horizontal” variant hunting. The impact and prevalence of SSRF bugs have been increasing across the industry for some time. In 2021 OWASP added SSRF to its top 10 list based on feedback from the Top 10 community survey—it was the top requested item to include. Around the same time, we launched a number of initiatives, including:

Externally, Azure Security recognized the importance of identifying and hardening against SSRF vulnerabilities and ran the Azure SSRF Research Challenge in the fall of 2021.
Internally, we ran a multi-team, multi-division effort to better address SSRF vulnerabilities using a layered approach.
Findings from the Azure SSRF Research challenges were incorporated to create new detections using CodeQL rules to identify more SSRF bugs.
Internal research drove investment in new libraries for parsing URLs to prevent SSRF bugs and new dynamic analysis tools to help validate suspected SSRF vulnerabilities.
New training has been created to enhance prevention of SSRF vulnerabilities from the start.
Targeted investments by product engineering and security research contributed to the creation of new Azure SDK libraries for Azure Key Vault that will help prevent SSRF vulnerabilities in applications that accept user-provided URIs for a customer-owned Azure Key Vault or Azure Managed HSM.

This investment in new technology to reduce the prevalence of SSRF vulnerabilities helps ensure the security of Azure applications for our customers. By identifying and addressing these vulnerabilities, we are able to provide a more secure platform for our customers on which to build and run their applications.

In summary, Azure has been a leader in the development and implementation of variant hunting as a method for identifying and addressing potential security threats. We have hired and deployed a global team focused exclusively on variant hunting, working closely with the rest of the security experts at Microsoft. This work has resulted in more than 800 distinct security improvements to Azure services since July 2022. We encourage security organizations all over the world to adopt or expand variant hunting as part of your continuous learning efforts to further improve security.

Learn more about Azure security and variant hunting

Read the first blog in this series to learn about Azure’s security approach, which focuses on defense in depth, with layers of protection throughout all phases of design, development, and deployment of our platforms and technologies.
Learn more about the out-of-the-box security capabilities embedded in our cloud platforms.
Register today for Microsoft Secure on March 28 to view our session covering built-in security across the Microsoft Cloud.

Quelle: Azure