Microsoft’s Trustworthy Computing: 10 Years Of Securing Windows

In 2002, then-CEO Bill Gates wrote a letter to every Microsoft employee stating that product security was a top priority for the software giant. While the fight against attackers is not over, the company has advanced significantly in making it harder to compromise the operating system and associated software, according to security experts in and out of Microsoft.

Gates sent the email to the employees on 15 January, 2002, outlining the Trustworthy Computing (TwC) initiative and called on them to deliver products that were “as available, reliable and secure as standard services, such as electricity, water service and telephony”.

Focus on security

At the time of the email, Windows systems around the world were under siege by fast-replicating and destructive worms and viruses such as CodeRed, Nimda, “I Love You”, and “Anna Kournikova”. CodeRed used buffer overflows to exploit vulnerabilities in Windows Server’s Internet Information Services (IIS) Web server and infected more than 300,000 computers.

Gates ordered everyone in the company to stop and begin focusing on security. If there is a choice between adding features and resolving security issues, the company would “choose security”, Gates wrote. Microsoft needed to emphasise security “out of the box” and to “constantly refine and improve” the products because threats will evolve, according to the memo.

“If we don’t do this, people simply won’t be willing, or able, to take advantage of all the other great work we do,” Gates wrote, adding, “We must lead the industry to a whole new level of trustworthiness in computing.”

Ten years after Gates outlined the company’s three new areas of focus as security, privacy and reliability, these areas remain “just as important” as organisations move to the cloud, government roles evolve and new cyber-threats emerge, Adrienne Hall, Microsoft’s general manager of TwC, wrote on the Trustworthy Computing blog.

Microsoft’s Trustworthy Computing initiative permeates all parts of the company and touches upon many areas, including building security into products and services right from the design phase, regularly updating products and services, researching new and emerging threats, developing security products and working with law enforcement, Hall wrote. Under TwC, developers receive training on how to exploit migrations, and there are regular outreach efforts to external security researchers who probe the company’s products for weaknesses. Security runs through Microsoft employees’ veins and, Hall said, “It truly is in our DNA”.

Adoption and adaptation

The Security Development Lifecycle is a mandatory policy for all Microsoft software that ensures the teams are designing, building and testing more secure products, and supporting third-party vendors and the public to warn about vulnerabilities and resolving issues. Microsoft introduced in-depth defences, such as address space layout randomisation and data execution prevention, in its products, and added security features to guard against stack-overflow errors.

Many companies, including Adobe and Cisco, have adapted Security Development Lifecycle to beef up their own internal security objectives. Adobe has been working hard to “transform itself into the next poster child for security”, Ron Gula, CEO and CTO of Tenable Network Security, told eWEEK.

The company also focused on privacy in its products, publishing privacy standards for developers and providing consumers with layered privacy notices. Privacy will continue to be an “evolving and on-going effort”, especially as cloud computing and the increasingly connected society creates “vast amounts of data”, David Burt, senior communications manager for Privacy & Safety Policy, wrote on the Microsoft Privacy and Safety blog. Microsoft will continue to protect people’s privacy, Burt said.

“We’re proud of what we’ve achieved and of the many innovations that have become accepted as industry best practices. But it would be wrong to congratulate ourselves on a job well done,” Hall said, adding, “There is still a lot on the road ahead.”

Time and trouble

Microsoft’s security efforts have made it harder for attackers to compromise the operating system, Gula said. The regular updates, security innovations such as address space layout randomisation and data execution prevention, and the increased use of sandboxing, have increased the amount of time and effort attackers have to expend in their campaigns, Gula said.

Many of the attacks have shifted focus, targeting Web applications because those are not built with security in mind, Gula said. While browser companies are innovating and stumbling over each other in their effort to roll out the next-best security features, the applications themselves generally aren’t built by developers with a security mindset, he said.

Microsoft will focus on the “PC-plus era”, such as mobile devices and cloud computing, and the role of governments in computing in “TwC Next”, the next 10 years of TwC, said Scott Charney, corporate vice president of Trustworthy Computing. Security, privacy and reliability strategies must evolve to “remain potent”, Charney said, noting there was “still much work” that needed to be done to make computing “more trustworthy.