Strengthening the software development company supply chain with DevSecOps practices

As cyber threats grow in complexity and frequency, embedding security into the product design lifecycle is no longer optional—it’s essential. In the Microsoft Security for ISV series, our fourth session, “Strengthen the software development company supply chain with DevSecOps practices,” provides in‐depth insights into how software development companies can build robust, secure, and resilient applications while accelerating development processes. By integrating security into every phase—from design to production—software development companies can protect customer data, ensure compliance, and build lasting trust.

Understanding the Evolving Threat Landscape

According to GitGuardian’s 2024 report, public GitHub repositories saw an alarming surge in hardcoded secrets — with nearly 24 million new secrets (23,770,171) added last year. This represents a 25% increase compared to the previous year and highlights a troubling trend: long-lived plaintext credentials such as API keys, passwords, and authentication tokens continue to proliferate in open-source projects. Despite GitHub’s efforts to filter out known credential patterns during the push process, the rise in generic secrets—which can include common usernames, unstructured passwords, or basic auth strings—remains largely unmitigated, providing attackers of any skill level with an easy entry point and the ability to move laterally within systems.

Key Security Strategies for Software Development Companies

Embedding Security Throughout the Software Development Lifecycle

The evolution of DevSecOps is transforming how organizations approach application security. Michael Friedrich, Cloud Solution Architect at Microsoft, underscored two primary challenges:

• Growing code bases often come with increased vulnerabilities
• Developers need intuitive security tooling that doesn’t disrupt productivity

DevSecOps is all about “shifting security left” by integrating security practices throughout development—as code is written, built, and deployed—instead of addressing vulnerabilities only after production. This approach not only saves time and resources but also reduces the likelihood of exploiting application-level vulnerabilities.

Key strategies include:

• Early threat modelling to identify and mitigate risks before deployment
• Collaborative workflows that bring together developers and security teams
• Continuous scanning methods (static analysis, secret scanning, dependency review) to catch issues early

For a deeper dive, explore Microsoft’s Secure Development Lifecycle guide (https://www.microsoft.com/en-us/securityengineering/sdl).

Integrating GitHub Advanced Security and Microsoft Defender for Cloud

GitHub and Microsoft work in unison for a unified secure development experience. GitHub Advanced Security is embedded directly into the developer workflow to detect vulnerabilities through advanced code scanning (powered by CodeQL), secret scanning, and dependency checks. The integration means that security alerts are provided as developers code—not as an afterthought—which speeds up remediation and reduces production issues.

In parallel, Microsoft Defender for Cloud (formerly Defender CSPM) offers a cloud security posture management solution that:

• Pinpoints and prioritizes risks with a context-aware engine
• Provides actionable, recommendation-driven insights for DevOps environments
• Delivers continuous scanning across multi-cloud environments and CI/CD pipelines

Learn more about Microsoft Defender for Cloud at https://docs.microsoft.com/en-us/azure/defender-for-cloud and enhance your cloud security posture.

The Secure Future Initiative: Secure by Design, Default, and Operations

Microsoft’s “Secure Future Initiative” (SFI) is comprehensive framework ensures that security is embedded into every stage of product development and operations through three core principles:

• Secure by Design
  • Incorporate security during the planning and architecture phases
  • Protect identities and secrets from the start with strong key rotation, hardware security modules, and no hard-coded secrets
• Secure by Default
  • Enforce robust security configurations so that protection is on by default (for example, MFA enforcement and least privilege access)
• Secure Operations
  • Establish continuous monitoring protocols, rapid incident response, and centralized security logs
  • Use tools like Microsoft Sentinel for real-time threat analytics

These foundational elements ensure that as software development companies develop and scale innovative solutions—including those leveraging artificial intelligence—security remains a steadfast pillar.

For additional guidance on Secure Future Initiative, visit https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative

Strengthening the Software Development Company Supply Chain with Modern DevSecOps Practices

Modern software supply chains often include third-party dependencies, open-source libraries, and automated pipelines. Traditional security measures can’t keep pace with today’s integrated development models. Therefore, it’s critical to:

• Employ code signing and package verification for third-party components
• Adopt continuous security scanning using solutions like GitHub’s secret scanning with push protection
• Integrate Microsoft Defender for DevOps for comprehensive visibility from code to cloud

For more on secure supply chain strategies, check out the Secure Supply Chain Consumption Framework (https://www.microsoft.com/en-us/securityengineering/opensource)

Real-World Insights from BuildKite and the Role of DevSecOps

Guest speaker Ken Thompson, VP of Product at BuildKite, shared practical examples from the front lines of secure continuous integration and delivery. BuildKite’s hybrid model, combining a software-as-a-service control plane with open-source on-premises agents, ensures that sensitive code and secrets never leave a customer’s infrastructure. This design enhances security while enabling:

• Rapid build times with hyper-parallelized pipelines
• Integrated security scanning within every build, thereby “shifting left” security
• Proven practices like the SLSA framework for artifact provenance, which verifies that code and pipelines are built in a trusted manner

Ken highlighted examples where Uber have reduced build times from an hour to mere minutes while ensuring every pipeline pass incorporates critical vulnerability scanning. This demonstrates that robust security practices and efficiency can go hand in hand.

Taking Action: Strengthening Your Security Posture Today

Security is an ongoing journey. By adopting proactive security strategies, embracing DevSecOps practices, and integrating industry-leading tools, software development companies can build resilient, trusted applications that stand up to today’s cyber threats.

Action Steps for Software Development Companies:

• Embed security into every phase of your SDLC
• Strengthen identity and access with strong MFA, conditional access, and the Zero Trust model
• Secure secrets using Azure Key Vault and GitHub Advanced Security for automated secret scanning
• Enhance supply chain security through continuous scanning and vulnerability remediation
• Monitor your cloud environments with Microsoft Defender for Cloud and Microsoft Sentinel for real-time insights

Additional Resources:

• Microsoft Secure Development Lifecycle – https://www.microsoft.com/en-us/securityengineering/sdl
• Secure Supply Chain Consumption Framework – https://www.microsoft.com/en-us/securityengineering/opensource
• Cloud Adoption Framework – https://aka.ms/caf
• Zero Trust Guidance Center – https://aka.ms/Zero-Trust
• Start with Security – https://aka.ms/trysecurity
• SaaS Workload Guidance – https://learn.microsoft.com/en-us/azure/well-architected/saas/
• Join ISV Success – https://www.microsoft.com/isv