Analysis Sunday marks the tenth anniversary of Bill Gates' Trustworthy computing memo, which made designing security into applications from the ground up a key priority at Microsoft for the first time.
The directive to make security a number one priority followed a period when Microsoft hack taken a sustained shellacking over the instability and insecurity of its software, especially Internet Explorer and Outlook,following the rampage of high-profile malware outbreaks such as the Love Bug, Melissa and Nimda.
The memo came after Microsoft had spent years fighting the Department of Justice's antitrust suit that centred of its Windows monopoly, in particular the bundling of IE with Windows, and two years after Redmond had begun to embrace web services with the launch of .Net.
Apple Macs were not the threat to Microsoft's desktop monopoly that they now pose but the perception of insecurity was a problem for Microsoft's ammunitions to push its servers and associated applications into the data centre, as well as its fight against Linux as a web server platform.
Gates' memo sought to tackle concerns about the security and reliability of Windows as well as addressing more general concerns about privacy and Microsoft's business practices more generally. As in so many fields of computing, the idea of trustworthy computing was coined years before Redmond latched onto the concept and began running with it.
In the wake of the memo, Redmond's developers in the latest secure coding techniques. Microsoft attempted to produce products that were secure by design and by deployment. After regarding security researchers with an attitude sometimes approaching disdain, at best, Microsoft became far more approachable, responsive and communicative. It has also worked with law enforcement agencies on botnet takedowns and other initiatives.
Notable achievements include adopting a security development lifecycle for software development and enabling Windows firewall by default, something that eventually belatedly put pay to the spread of Blaster and Sasser worms.
That happened only two years or more after the original Trustworthy computing memo, which went out on 15 January 2002. Ten years on and Windows malware is just as big a problem as it ever was and one of the key goals of the whole initiative - resilient computer systems - remains a long way off.
There have also been missteps and set-backs along the way, most notably the hated UAC (User Account Control) nagware that debuted with Windows Vista. Other demerits include Redmond's delayed execution of Autorun, which was only dropped from older versions of Windows years after it became a leading vector for malware infestation.
On the other hand concerns about the security of Microsoft's applications have slowly abated while Adobe apps and Java have become the chief target of many hacking techniques. Privacy concerns about Microsoft have been joined by sharper worries about privacy when using service from Google and Facebook.
While its hardly been a resounding success Microsoft's trustworthy computing initiative has made a positive impact on the industry and, to Redmond's credit, continues to produce fresh initiatives. For example, Microsoft is readying plans to provide a real time threat intelligence feed, a move welcomed by security experts. The proposed free-of-charge service will distribute threat data from captured botnets and other sources. Redmond's security staffers are in the process of testing the service, Kaspersky Labs Threatpostreports.
Ten years ago Microsoft was the butt or punchline of security-themed jokes. A decade later it is seen as an engaged partner and even a security leader, whose example other IT giants (hello Apple and, yes Oracle) would do well to emulate.
No comments yet.
Leave a comment
You must be logged in to post a comment.
Trackbacks are disabled.