Windows security foundations

Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment.

Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.

Use the links in the following table to learn more about the security foundations:

Concept Description
FIPS 140-2 Validation The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about FIPS 140-2 Validation.
Common Criteria Certifications Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

Learn more about Common Criteria Certifications.
Microsoft Security Development Lifecycle The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

Learn more about Microsoft SDL.
Microsoft Bug Bounty Program If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

Learn more about the Microsoft Bug Bounty Program.