AgentSkillsCN

Microsoft Sfi

Microsoft SFI

SKILL.md
--- frontmatter
applyTo: "**/*security*,**/*auth*,**/*credential*,**/*secret*,**/*vulnerability*,**/*CVE*"

Microsoft Secure Future Initiative (SFI) Skill

Security-first development practices aligned with Microsoft's SFI.

⚠️ Staleness Warning

Security practices evolve with new threats, vulnerabilities, and industry standards.

Refresh triggers:

  • New CVEs affecting our stack
  • Microsoft SFI updates
  • Major security incidents (industry-wide)
  • Dependency security advisories
  • Compliance requirement changes

Last validated: February 2026

Check current state: Microsoft SFI, OWASP, CVE Database


SFI Core Principles

Three principles anchor Microsoft's approach to SFI:

PrincipleFocus
Secure by DesignSecurity comes first when designing any product or service
Secure by DefaultProtections enabled/enforced by default, require no extra effort, not optional
Secure OperationsSecurity controls and monitoring continuously improved for current/future threats

Satya's Mandate (May 2024): "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security."


SFI Foundations

Four foundations that underpin successful security operations:

FoundationDescription
Security-first CultureDaily behaviors reinforced through regular meetings between engineering and SFI leaders
Security GovernanceFramework led by CISO, partnering with engineering teams to oversee SFI and manage risks
Continuous ImprovementGrowth mindset integrating feedback and learnings from incidents into standards
Paved Paths & StandardsBest practices that optimize productivity, compliance, and security at scale

SFI Six Pillars

PillarFocus
Protect Identities & SecretsBest-in-class standards for identity/secrets infrastructure, phishing-resistant MFA
Protect Tenants & Isolate SystemsTenant isolation and production system protection
Protect NetworksNetwork security and segmentation
Protect Engineering SystemsSecure development infrastructure and CI/CD
Monitor & Detect CyberthreatsContinuous threat monitoring and detection
Accelerate Response & RemediationFast incident response and recovery

Secure by Design

Threat Modeling (STRIDE)

ThreatQuestionMitigation
SpoofingCan someone pretend to be someone else?Authentication
TamperingCan data be modified?Integrity checks
RepudiationCan actions be denied?Logging, audit trail
Information DisclosureCan data leak?Encryption, access control
Denial of ServiceCan service be disrupted?Rate limiting, redundancy
Elevation of PrivilegeCan someone gain more access?Least privilege

Security Requirements Checklist

Before coding:

  • Authentication method defined
  • Authorization model designed
  • Data classification done
  • Encryption requirements clear
  • Logging requirements defined
  • Third-party dependencies reviewed

Secure by Default

Principle of Least Privilege

typescript
// Bad: Admin access by default
const user = { role: 'admin', permissions: ['*'] };

// Good: Minimum permissions
const user = { role: 'viewer', permissions: ['read:own'] };

Secure Defaults

typescript
// Bad: Optional security
createServer({ https: false, cors: '*' });

// Good: Secure by default
createServer({
    https: true,
    cors: ['https://trusted.com'],
    helmet: true
});

Input Validation

typescript
// Validate and sanitize ALL input
function processInput(input: unknown) {
    const validated = schema.parse(input); // Zod, Joi, etc.
    const sanitized = sanitize(validated);
    return sanitized;
}

OWASP Top 10 Quick Reference

RiskPrevention
Broken Access ControlCheck permissions on every request
Cryptographic FailuresUse strong, modern crypto
InjectionParameterized queries, no string concat
Insecure DesignThreat modeling, secure patterns
Security MisconfigurationSecure defaults, remove unused features
Vulnerable ComponentsDependency scanning, updates
Auth FailuresMFA, secure session management
Data IntegritySignatures, checksums
Logging FailuresComprehensive audit logging
SSRFAllowlist URLs, validate requests

Credential Management

Never Hardcode

typescript
// NEVER
const apiKey = 'sk-1234567890abcdef';

// ALWAYS
const apiKey = process.env.API_KEY;
// Or: Azure Key Vault, AWS Secrets Manager, etc.

Rotate Regularly

text
Credential Type     | Rotation Period
--------------------|----------------
API Keys            | 90 days
Service Passwords   | 90 days
Certificates        | 1 year
User Passwords      | User discretion + breach response

Secrets in Git

If secrets accidentally committed:

  1. Revoke immediately — The secret is compromised
  2. Remove from historygit filter-branch or BFG
  3. Rotate — Generate new credentials
  4. Audit — Check for unauthorized use

Dependency Security

Regular Audits

powershell
# npm
npm audit
npm audit fix

# Check for outdated
npm outdated

Automated Scanning

  • Dependabot (GitHub)
  • Snyk
  • npm audit in CI/CD

Update Strategy

SeverityResponse Time
Critical24-48 hours
High1 week
Medium2 weeks
LowNext release

Security Code Review

Checklist

  • No hardcoded secrets
  • Input validation present
  • Output encoding for XSS
  • SQL uses parameterized queries
  • Auth checks on all endpoints
  • Sensitive data encrypted
  • Errors don't leak info
  • Dependencies up to date

Red Flags

text
🚩 eval(), exec(), dangerouslySetInnerHTML
🚩 String concatenation in queries
🚩 Disabled security features
🚩 Overly permissive CORS
🚩 Secrets in code or config files
🚩 Missing rate limiting
🚩 Verbose error messages

Incident Response (Security)

  1. Contain — Limit blast radius
  2. Preserve — Don't destroy evidence
  3. Notify — Security team, legal if needed
  4. Investigate — What happened, how
  5. Remediate — Fix + prevent recurrence
  6. Report — Breach notification if required

Synapses

See synapses.json for connections.