Ten years ago this week, during a time when security problems were threatening trust in software products, Bill Gates sent an email to all Microsoft full-time employees announcing the creation of the Trustworthy Computing (TwC) initiative.
Gates’ memo called upon employees across the company to fundamentally rethink their approach to product development and strive to deliver products that are “as available, reliable and secure as standard services such as electricity, water services and telephony.”
“In Bill’s original email, he identified three core attributes – security, privacy and reliability – that we had to develop in our software and services,” said Scott Charney, corporate vice president, Microsoft Trustworthy Computing. “In the memo, Bill said that technology was going to be integrated in our lives in a far more rich way and would impact everything we do. That was one of the reasons it was so critical to get these three attributes right.”
One of the most well-known outcomes of Trustworthy Computing is the Microsoft Security Development Lifecycle (SDL), which also incorporates privacy development practices. Embracing industry best practices and lessons learned from Microsoft’s earlier security push, the SDL was instituted as a company-wide, mandatory policy. Companies including Adobe and Cisco have adopted security development lifecycles modeled after Microsoft’s SDL.
“Microsoft put a lot of investment into building the Security Development Lifecycle and learned many lessons along the way on what worked well,” said Brad Arkin, senior director, security, Adobe products and services. “In formalizing our own secure product lifecycle, we were eager to tap into that knowledge instead of reinventing the wheel. This allowed us to spend more time on the actual implementation across all of our product teams.”
Microsoft has delivered progress in reliability and privacy as well. Better instrumentation such as Windows Error Reporting has led to fewer system crashes, increasing productivity and alleviating user frustration. In the area of privacy, Microsoft was one of the first companies to publish privacy standards for developers and to provide consumers with layered privacy notices.
The threat landscape also continues to evolve, growing more sophisticated and increasingly complex. Opportunistic threats have been supplemented by attacks that are more persistent and, in many cases, far more worrisome. While some of these attacks are sophisticated, many are not; the attacks are often traditional and unsophisticated: unpatched vulnerabilities, misconfigurations and social engineering. This underscores not only the importance of continued security protection innovation, but also the need for even greater security and privacy awareness among the general public.
In marking the 10-year milestone of the original Trustworthy Computing memo today, Microsoft recognizes that Trustworthy Computing has never been more important. “TwC Next,” the ensuing decade-plus of Trustworthy Computing, will focus on the PC-plus era, the new world of devices and cloud computing, and the role of governments in computing. Security, privacy and reliability strategies must evolve to remain potent. There is still much work that our industry must do to make computing more trustworthy. Everyone at Microsoft and the entire computing ecosystem has a role to play.
Click here for comments from the security community.