Dogfooding: How Microsoft IT Information Security Dogfoods

Hi Mark Smith here. I’m a senior program manager on the Microsoft Information Security. I’m kicking off our blog series providing you a glimpse into how Microsoft’s IT Information Security (InfoSec) dogfoods. When launching a new product naturally there’s a concern about how a product will perform. Ever wonder about Information Security’s role in dogfooding process? First, what’s dogfooding anyways? Most likely this term is very familiar to you, but simply, it means we use our own products we make usually before they’re ready for the public. Really we do…but there is also so much more to it. 

In Microsoft IT (MSIT), we have a formal program known as the First & Best Program. This program, , drives end to end IT support for all products, MSIT intends to deploy and provide support for in our production environment. Sometimes we start dogfooding products years before a product is even released to market. Generally only major product releases are on-boarded to the program. Some examples are Windows, Exchange, SQL, SharePoint, Forefront and more.

InfoSec is a key participant in the First and Best program with two overall specific goals –

1. Ensure all dogfood deployments are secure and compliant with policy

2. Assess, strategize and trial the product’s security features in advance of a production implementation

Once a product is ready to go through the security portion of the First & Best program, here’s what takes place:

dogfooding

1. ACE Team performs a security design review. Closely working with the key product owners, ACE will begin a triage to evaluate the MSIT deployment plan focusing on all in-scope features to determine security risk and ensure policy compliance as well as security operations business continuance. Ultimately, ACE will give an approval when all concerns are addressed.

2. Security Operations Planning and Strategy Team will conduct an assessment through spec reviews and deep meetings with the product groups, focusing on security features only. Risk reduction opportunities are identified and summarized in a document that seeds shared goal development and testing.

3. InfoSec Operations pre-production team will drive the rollout and testing of the security features. During this stage, any bug, design change requests as well as general product feedback are produced and managed as part of the overall dogfood effort.  

In the coming weeks we’ll be discussing each phase in more detail. Stay tuned. In the mean time, check out my recent video Microsoft Information Security & Dogfooding, I walk you through our dogfooding process and share our successes. 

-Mark Smith
Senior Security Program Manager
Microsoft Information Security