Dogfooding: How Microsoft IT Information Security Dogfoods, Phase 1: Conduct a Security Design Review

Hi Don Nguyen here, I’m a senior security engineer with the Microsoft Information Security's (InfoSec), ACE Team.

Continuing with our blog series on dogfooding, today I will be talking about phase 1: conduct a security design review, of our formal dogfooding process called, the First & Best program. In case you missed it, read Mark Smith’s recent blog here where he provides an overview of our dogfooding process.

In phase 1 of our dogfooding process, a security design review is conducted and it’s performed by our own assessment team, the ACE team. In a security design review we’re looking at additional features that might affect our policies. So basically a new feature can change our policy and if needed, we may need to modify the policy. From our review, any finding that may affect policy is communicated to our policy group. This helps ensure our internal policies are evolving along with our new technologies. For example, SQL 2005 provided a transparent data encryption to meet our internal security standard for sensitive data encryption. We assessed the encryption method and updated our policies to accept this method. The same can also be true the other way around, where we have a security policy and the product/feature may be suited at a consumer-level, but can’t be deployed in our enterprise environment per our security policies.

Also in this phase a risk assessment is performed. Anytime you add or change feature sets, the relative risk associated with the change needs to be reviewed and also existing risks will need to be assessed. Additionally with new products, new network risks can be introduced and we want to ensure these risks are identified and addressed. When we perform a risk assessment which enables the new features, this can increase risks to the network, however, this helps us determine security controls needed to mitigate a risk. Mitigation is provided to the product teams. After the assessment is completed, we provide feedback to the product teams from the context of an enterprise environment and how Microsoft IT will deploy a product, usually the enterprise features specifically.

In the end, success in the dogfooding program is really, seeing the overall successes over time, seeing products evolve and become more secure. Getting the opportunity to make a product more secure, working with the product teams and making a product more “enterprise-ready” is really key. If you’re interested in starting a dogfooding program in your own organization, here are some things you can consider:

  • Determine if your organization wants to run beta software in a production environment. Make sure the beta software has feature/updates that your organization can utilize. Don’t try to beta test everything, only things that you actually expect to use as an enterprise. We test everything, but that’s our core business.
  • Identify what you want to dogfood and create a dogfood plan with a start and end date per beta product/project.
  • Establish a deliverable, basically a migration roadmap from when a product is beta to RTM (release to market).

Check out my recent video where I talk more about this phase. Next time we will discuss the next phase of our dogfooding process, stay tuned…

-Don Nguyen
Senior Security Engineer
Microsoft Information Security, ACE Team