1ES

Microsoft One Engineering System (1ES) team shares a sample for building Ready-To-Code Dev Box environments pre-configured with the necessary tools, repositories, and settings, ensuring consistency and reliability across teams. The post Dev Box Ready-To-Code Dev Box images template appeared first on Engineering@Microsoft.

In April 2021, GitHub announced changes to their security token format that significantly enhanced security. The improvement leveraged two straightforward techniques: a fixed signature in the generated token and a checksum – both of which are highly effective in eliminating false positives (noise) and false negatives (missed findings). Microsoft also implements these techniques widely in […] The post Common annotated security keys appeared first on Engineering@Microsoft.

What do you keep in your Git repos? Source code for your production applications certainly, but you probably also keep a fair amount of experimental and “hackathon” code. Maybe you keep your documentation in Git. Maybe, like the District of Columbia does, The post Your Most Important Git Repos appeared first on Engineering@Microsoft.

We’re in an exciting time for technology. But to take advantage of the opportunities, it’s critical for developers to have access to the tools and resources that can help them stay productive and do their best work. At Microsoft, we’re migrating many of our developers to highly productive, The post Microsoft Dev Box for Microsoft engineers appeared first on Engineering@Microsoft.

A secure software supply chain represents another facet of Microsoft’s built-in security to enhance and maintain trust in our products. It’s a continuation of the journey we embarked upon since the launch of Security Development Lifecycle (SDL) in 2004 and represents our commitment to continually enhance Microsoft’s foundational security. The post The Journey to Secure the Software Supply Chain at Microsoft appeared first on Engineering@Microsoft.

The Accessibility Insights team recently fixed a bug in our Windows Presentation Foundation (WPF) app where checkboxes in a WPF tree view were not properly reporting their checked or unchecked state to adaptive technologies such as screen readers. This longstanding issue created a sub-par accessible experience in Accessibility Insights for Windows, The post Implementing an accessible, checkable WPF Tree View appeared first on Engineering@Microsoft.

Since February 2022, the Accessibility Insights team has been migrating Accessibility Insights for Web–our Chrome and Edge extension introduced in Jacqueline’s February 14, 2022, post–from Manifest V2 (MV2) to Manifest V3 (MV3). We wanted to share learnings and takeaways from our migration journey with a walkthrough of the largest changes and considerations. The post Learnings from migrating Accessibility Insights for Web to Chrome’s Manifest V3 appeared first on Engineering@Microsoft.

We are excited and proud to open source our software bill of materials (SBOM) generation tool. A key requirement of the Executive Order on Improving the Nation’s Cybersecurity, SBOMs are lists of ingredients that make up software components, providing software transparency so organizations have insight into their supply chain dependencies. The post Microsoft open sources its software bill of materials (SBOM) generation tool appeared first on Engineering@Microsoft.

In this post, Jacqueline Gibson goes over Accessibility Insights for Web, Microsoft's open-sourced Chrome and Edge extension that helps users find and fix web accessibility issues. The post Accessibility Insights for Web appeared first on Engineering@Microsoft.

Flaky tests are a well-known problem across the industry and Microsoft is no exception. In this post, Suresh Thummalapenta walks us through the team's comprehensive flaky test management system that helps to infer, triage, and quarantine those tests. The post Improving developer productivity via flaky test management appeared first on Engineering@Microsoft.

In this post, John Alkire walks through the features of Accessibility Insights for Windows, which enables users to inspect and test Windows applications to find and fix accessibility issues. The post Accessibility Insights for Windows appeared first on Engineering@Microsoft.

In this post, Sina Jafari discusses key characteristics of the CloudTest infrastructure used at Microsoft and why similar characteristics should be considered in all large-scale test infrastructures to improve engineers’ productivity and help them ship high-quality software. The post CloudTest: A multi-tenant, scalable, performant and extensible verification service appeared first on Engineering@Microsoft.

In this post, Adrian Diglio walks us through how Microsoft is planning to generate SBOMs not just to meet the U.S. Presidential Executive Order on Improving the Nation's Cybersecurity, but for all software that Microsoft produces. The post Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft appeared first on Engineering@Microsoft.

In this post, Michael Fanning gives us a short history on standards (think Julius Caesar), how consensus on something very small can enable something very large, and how all of it relates to the design of the ‘Static Analysis Results Interchange Format’ (SARIF). The post Caesar, standards, and SAST: The road to SARIF appeared first on Engineering@Microsoft.

The faster we iterate on refining secure development practices, the faster our developers can address security pain points, and the better we protect our customers. In this post, Bryan Sullivan walks through key learnings from the 1ES Security team. The post You can’t have security for DevOps until you have DevOps for security appeared first on Engineering@Microsoft.