In the past few years, Bill Gates has used email to communicate to Microsoft employees two dramatic shifts in the company's direction. The first was when Microsoft decided the Internet was everything and the second came about two years ago, launching the .NET vision.
On Jan. 15, Gates issued an email memo that marks a third landmark shift, this one an all-out effort to make security job one.
I can sense the skepticism in the air, but I've seen the memo and I believe Gates really gets it. Whether he will be able to translate his vision for "Trustworthy Computing" to his legions of developers is another question, but I don't see how this initiative can be anything but positive for security professionals and the public in general. (Full disclosure: As an independent writer and editor, I do work for publications funded by Microsoft, but this Web site isn't one of them.)
"There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level from the way we develop software, to our support efforts, to our operational and business practices," Gates wrote. "As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
True enough. Microsoft indeed has a perception problem when it comes to security, with the likes of Gartner Group advising folks a few months ago to rip out their IIS Web servers in favor of something more secure. Likewise, Microsoft products, usually Outlook, have been the target of some of the most insidious viruses we've seen to date, including Code Red. If there is a flaw in a Microsoft product that opens a door to hackers or virus writers, you can bet it will be uncovered eventually. Gates realizes this can't go on if his .NET strategy is going to fly. Given its current track record, few companies are going to be comfortable with the idea of taking code piecemeal from all across the Internet and running it for even one second on an internal server. In his memo, Gates notes that security is "a key foundation element" of .NET and that Visual Studio .NET is "the first multi-language tool that is optimized for the creation of secure code."
That's an important point, as it shows that Gates recognizes security begins with writing secure code. In the past, Microsoft was clearly more interested in getting products out the door quickly than in making sure they were secure. It appears this is about to change.
"Now, when we face a choice between adding features and resolving security issues, we need to choose security," he wrote.
The logical question that statement raises is, "How?" How do thousands of programmers who are used to writing code with features and functionality as their primary concern suddenly change course and think of security above all else?
That point is not addressed in the Gates memo, but reports published in The New York Times and elsewhere suggest Microsoft is going to call a massive time-out, until all its programmers are schooled in secure coding.
"The new emphasis on making software safe from malicious intruders will include stopping the development of new operating system software for the entire month of February and sending the company's 7,000 systems programmers to special security training," according to the Times. I hope that's true, as that is exactly the kind of investment we need to turn the security tide. It makes far more sense to invest dollars in teaching secure programming techniques than it does to spend those same dollars cleaning up after virus attacks.
Gates also seems to finally be on board with an idea security professionals have known for some time: Services that make a system potentially vulnerable should be turned off by default, not the other way around, as has typically been the Microsoft way.
"Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve," Gates wrote.
Gates' Trustworthy Computing vision also goes beyond security, to address availability and privacy as well. Indeed, these three disciplines should go hand in hand, as security breaches result in availability problems as well as privacy concerns.
Last fall, Microsoft took its first big step toward addressing its security problems with the launch of its Strategic Technology Protection Program, which is largely intended to help customers ensure they are patching all known vulnerabilities in Microsoft products. The Trusworthy Computing initiative is a logical next step, as it is intended to ensure that fewer vulnerabilities find their way into those products to be begin with.
Is Bill Gates Sincere About Security?
