Reactions from the security community to the Trustworthy Computing Initiative

This week, Microsoft is celebrating 10 years of its Trustworthy Computing Initiative (TwC). One of the most well-known outcomes of Trustworthy Computing is the Microsoft Security Development Lifecycle (SDL), which also incorporates privacy development practices. Many companies, including Adobe and Cisco, have adopted security development lifecycles modeled after Microsoft’s SDL.

Below are comments on the Trustworthy Computing Initiative that Help Net Security received from industry veterans.

Wolfgang Kandek, CTO for Qualys

Bill Gates’ now 10 year old memo to Microsoft’s employees was an eye-opening moment for me. When I first read it, I found myself intuitively agreeing to many of the underlying assumptions: strong growth of computers, but also their unstopping insertion into the personal lives of billions of individuals and the importance of trusting their integrity and function in both areas. In the 10 years following, the industry has come a long way and we have reached many important achievements.

Microsoft has played a key part – even serving as a great role model for other software vendors – by integrating security into its development process and openly sharing security information with the public, including its own competitors.

But Gates was overly optimistic as to the impact that we would be able to achieve. The Internet user base has now reached 30% of the world-wide population and security woes have not become any smaller by any measure.

While new PC software is much safer than its predecessors, we continue to deal with older software stragglers and are overwhelmed by the amount of new devices that are connected to the Internet at any moment, now including our phones, media players, critical infrastructure, houses with smart meters, and even our cars.

The example of the TwC makes me optimistic that we can find solutions for these challenges and that security will be an integral part of new technologies in the next 10 years.

Kurt Baumgartner, senior security researcher, Kaspersky Lab

Microsoft’s massive customer base has benefited from the security efforts put forward by the company in improving the security of their products and process. The newest defensive capabilities in Windows 7 and the reduction in attack surface of Windows 2008 are examples of this trend.

At the same time, its past mistakes and late prioritization of security left those same customers with headaches for years – as an example, the relatively insecure IE6 install base just fell under 1% in the US 10 years after its launch and Microsoft is working hard to kill it.

The progress made from IE6 to IE9 in better securing their browser is somewhat unbelievable. But corporate and government customers have a nasty habit of hanging on and using the oldest versions of software until the systems truly cannot function.

Additionally, exploitation of their software has shifted from stack overflows to memory corruption issues more complicated to root out, like heap corruption, kernel overflows, elevation of privilege bugs, and use-after-free vulnerabilities.

Also shifting is the focus of directly attacking the Microsoft platform itself to targeting the stuff that runs on the platform. Lower hanging fruit in ubiquitous Adobe, Java and other third party software are readily attacked on the desktop, and web application errors abound. Microsoft has improved their side of the game, but volume, complexity of code, and the attraction to push features will continue to burden their software development and implementation.

Marcus Carey, security researcher at Rapid7

I think Microsoft should be congratulated for reaching this milestone. Ten years ago Microsoft was a laughing stalk in information security circles so it’s to its credit that it has successfully transformed itself into a great example of how to build product security into the processes of a software company.

Microsoft makes it clear that in the immediate future it is focusing on cloud computing, mobile devices and applications, advanced persistent threats (APT), big data, the role of government in IT, and availability issues. Interestingly, Microsoft uses a different term for APT – Targeted Attacks & Persistent Adversaries – recognizing that all attacks aren’t advanced, but they are targeted with precision.

Organizations should take note of this because Microsoft is laying out what it believes to be the significant security challenges going forward.