Microsoft’s Trustworthy Computing: 10 Years Of Securing Windows

In 2002, then-CEO Bill Gates wrote a letter to every Microsoft employee stating that product security was a top priority for the software giant. While the fight against attackers is not over, the company has advanced significantly in making it harder to compromise the operating system and associated software, according to security experts in and out of Microsoft.

Gates sent the email to the employees on 15 January, 2002, outlining the Trustworthy Computing (TwC) initiative and called on them to deliver products that were “as available, reliable and secure as standard services, such as electricity, water service and telephony”.

Focus on security

At the time of the email, Windows systems around the world were under siege by fast-replicating and destructive worms and viruses such as CodeRed, Nimda, “I Love You”, and “Anna Kournikova”. CodeRed used buffer overflows to exploit vulnerabilities in Windows Server’s Internet Information Services (IIS) Web server and infected more than 300,000 computers.

Gates ordered everyone in the company to stop and begin focusing on security. If there is a choice between adding features and resolving security issues, the company would “choose security”, Gates wrote. Microsoft needed to emphasise security “out of the box” and to “constantly refine and improve” the products because threats will evolve, according to the memo.

“If we don’t do this, people simply won’t be willing, or able, to take advantage of all the other great work we do,” Gates wrote, adding, “We must lead the industry to a whole new level of trustworthiness in computing.”

Ten years after Gates outlined the company’s three new areas of focus as security, privacy and reliability, these areas remain “just as important” as organisations move to the cloud, government roles evolve and new cyber-threats emerge, Adrienne Hall, Microsoft’s general manager of TwC, wrote on the Trustworthy Computing blog.

Microsoft’s Trustworthy Computing initiative permeates all parts of the company and touches upon many areas, including building security into products and services right from the design phase, regularly updating products and services, researching new and emerging threats, developing security products and working with law enforcement, Hall wrote. Under TwC, developers receive training on how to exploit migrations, and there are regular outreach efforts to external security researchers who probe the company’s products for weaknesses. Security runs through Microsoft employees’ veins and, Hall said, “It truly is in our DNA”.

Adoption and adaptation

The Security Development Lifecycle is a mandatory policy for all Microsoft software that ensures the teams are designing, building and testing more secure products, and supporting third-party vendors and the public to warn about vulnerabilities and resolving issues. Microsoft introduced in-depth defences, such as address space layout randomisation and data execution prevention, in its products, and added security features to guard against stack-overflow errors.

Many companies, including Adobe and Cisco, have adapted Security Development Lifecycle to beef up their own internal security objectives. Adobe has been working hard to “transform itself into the next poster child for security”, Ron Gula, CEO and CTO of Tenable Network Security, told eWEEK.

The company also focused on privacy in its products, publishing privacy standards for developers and providing consumers with layered privacy notices. Privacy will continue to be an “evolving and on-going effort”, especially as cloud computing and the increasingly connected society creates “vast amounts of data”, David Burt, senior communications manager for Privacy & Safety Policy, wrote on the Microsoft Privacy and Safety blog. Microsoft will continue to protect people’s privacy, Burt said.

“We’re proud of what we’ve achieved and of the many innovations that have become accepted as industry best practices. But it would be wrong to congratulate ourselves on a job well done,” Hall said, adding, “There is still a lot on the road ahead.”

Time and trouble

Microsoft’s security efforts have made it harder for attackers to compromise the operating system, Gula said. The regular updates, security innovations such as address space layout randomisation and data execution prevention, and the increased use of sandboxing, have increased the amount of time and effort attackers have to expend in their campaigns, Gula said.

Many of the attacks have shifted focus, targeting Web applications because those are not built with security in mind, Gula said. While browser companies are innovating and stumbling over each other in their effort to roll out the next-best security features, the applications themselves generally aren’t built by developers with a security mindset, he said.

Microsoft will focus on the “PC-plus era”, such as mobile devices and cloud computing, and the role of governments in computing in “TwC Next”, the next 10 years of TwC, said Scott Charney, corporate vice president of Trustworthy Computing. Security, privacy and reliability strategies must evolve to “remain potent”, Charney said, noting there was “still much work” that needed to be done to make computing “more trustworthy.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

View Comments

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

17 hours ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

17 hours ago

US Supreme Court Agrees To Hear TikTok Appeal

US Supreme Court says it will hear appeal of TikTok and parent ByteDance against ban…

18 hours ago

Japanese Space Start-Up Destroys Second Rocket After Launch

Japanese start-up Space One destroys Kairos rocket for second time shortly after launch, as country…

18 hours ago

CATL Aims To Massively Expand EV Battery-Swap Infrastructure

World's biggest EV battery maker CATL aims to build 1,000 battery-swap stations next year, rising…

19 hours ago

Facebook ‘Restricted’ Palestinian News Content

Facebook has 'severely restricted' news content from Palestinian outlets since October 2023 amidst bias concerns,…

19 hours ago