Understand open source security at Microsoft
The open-source software (OSS) landscape is rapidly growing, both in the quantity of components available and the complexity of their interactions. Microsoft embraces the use of OSS to build products and services that benefit our customers while also understanding the legal and security challenges associated with OSS.
Microsoft has adopted a high-level strategy for managing open-source security. Our open-source security strategy leverages tools and workflows designed to:
- Understand which open-source components are being used in our products and services.
- Track where and how those components are used.
- Determine whether those components have any vulnerabilities.
- Respond properly when vulnerabilities are discovered that affect those components.
Component Governance (CG)
Microsoft engineering teams maintain responsibility for the security of all open-source software included in a product or service. To achieve this at scale, Microsoft has built essential capabilities into engineering systems through CG, which automates open-source detection, legal requirement workflows, and alerting for vulnerable components.
Microsoft engineering teams use CG to detect open-source components in Microsoft Online Services software builds and any associated security vulnerabilities or legal obligations. Newly discovered components are registered and submitted to the appropriate teams for business and security reviews. These reviews are designed to evaluate any legal obligations or security vulnerabilities associated with open-source components and resolve them before approving components for deployment.