Steve Lipner, partner director of program management, Trustworthy Computing, Microsoft
Earning customers' trust is the greatest asset that Microsoft can have, according to an executive on the tenth anniversary of the vendor's Trustworthy Computing initiative.
"We started the programme 10 years ago, and yet it still holds true today," Steven Lipner, partner director of program management, Trustworthy Computing, Microsoft.
In 2002, Bill Gates sent a memo to Microsoft employees announcing the creation of the Trustworthy Computing programme. Gates' memo called upon employees across the company to fundamentally rethink their approach to product development and strive to deliver products that are "available, reliable and secure".
"People were starting to find vulnerabilities and starting to write worms and viruses to exploit them. As we became more dependent on computers, reliability becomes more and more of a focus," said Lipner. One driving factor behind the creation of Trustworthy Computing was the introduction of malicious software CodeRed and Nimda in 2001.
Today, one of the most well-known outcomes of Trustworthy Computing is the Security Development Lifecycle (SDL). Embracing industry best practices and lessons learnt from Microsoft's earlier security push, the SDL was instituted as a company-wide, mandatory policy.
Companies including Adobe and Cisco adopted security development lifecycles modelled after Microsoft's SDL. "In formalising our own secure product lifecycle, we were eager to tap into that knowledge instead of reinventing the wheel. This allowed us to spend more time on the actual implementation across all of our product teams," said Brad Arkin, senior director, security, Adobe products and services.
SDL has undergone a huge evolutionary process since its debut in 2002, according to Lipner. SDL first started out as a set of written and unsophisticated tools. "We have progressed from having very non-specific testing requirements to a growing number of fuzz testing sets to detect buffer overruns and other kinds of vulnerability," said Lipner.
Trustworthy Computing timeline
One lesser-known product of Trustworthy Computing was the effort to improve the security patching process for enterprises and IT managers. The number of patch installers was reduced from eight to two by 2007. "We also introduced security update software that enables administrators to operate a Windows-like update infrastructure that runs seamlessly for their users and systems," said Lipner.
A major lesson learnt by Microsoft during the past 10 years of Trustworthy Computing was the importance of partnering with the security researcher community to work on software vulnerabilities.
One key moment was working with developers that discovered the Blaster worm vulnerability in the early years of the initiative. "We had cordial dialogue and worked together to develop a fix," said Lipner.
Sign up for Computerworld eNewsletters.