This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Microsoft, to its credit, took measures to about-face its security profile. Bill Gates' famous 2002 Trustworthy Computing memo (see "Trustworthy Finally?", below) put a temporary halt to development in Redmond, Wash. Microsoft's developers were given security mandates, and a secure development lifecycle was established. As we look at Vista, which launched this year, the security changes are stark.
Microsoft makes some amends for early gaffes.
Code Red and NIMDA had ripped through the Internet in the summer of 2001, exploiting vulnerable IIS Web servers on Microsoft NT and Windows 2000 systems. Though patches were available well before the worms struck, frustrated admins wondered why Microsoft code wasn't bulletproof to begin with.
Gartner analyst John Pescatore went so far as to recommend that organizations hit by these worms investigate alternatives like iPlanet and Apache rather than try to keep running on the patching treadmill with IIS.
Small wonder when Bill Gates announced the advent of the Trustworthy Computing era in an internal email to Microsoft employees on Jan. 15, 2002, it was greeted with skepticism from some, cynicism from others and outright
| scorn from many more.
"Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony," Gates said.
It wasn't an easy sell. A year after Gates' email, 80 percent of readers surveyed told Information Security that Microsoft security hadn't improved and were considering non-Microsoft OSes and apps.
"If we don't do security well, people will migrate away from us. And if we don't do security right, they should," said then security strategist Scott Charney.
And in January 2004, Microsoft CEO Steve Ballmer told Information Security, "I think we have made a good start over the last two years and I believe we will have made enormous progress 10 years from now. But, as we've said many times, it really is a journey, not a destination."
In the nearly six years that have followed Gates' message, Microsoft has made indisputable progress in fulfilling its mantra with products that are secure by design, default and in deployment. It has reorganized its code development around a secure development lifecycle (SDLC) program, manifested in releases such as SQL Server 2005, Office 2007, Vista and--coming soon--Windows Server 2008 (aka Longhorn).
"Security is pretty well baked in to Microsoft's enterprise products," Pescatore says now. "It's at the top of their priority list."
This was first published in January 2008