January marks the ten year milestone of Bill Gates’ memo on Trustworthy Computing. When I think about “where was I when…” the email hit my inbox, several memories come to mind that I thought I’d share. Back then I was the Director of Security Assurance, a position that encompassed both the Microsoft Security Response Center (MSRC) and the Secure Windows Initiative that focused on improving the security of Microsoft’s products before they shipped. We had had our share of problems in those days as attackers had released worms – Code Red, Nimda – against our products and customers.
On January 12th 2002, Michael Howard, Jason Garms, Glenn Pittaway and I were working long days and nights preparing for the February start of the Windows Server 2003 security push. We were prioritizing component development groups, identifying tools that we’d tell groups to run, and working to finalize the four-hour security training class that we planned to present to a total of about 8500 people during the week of January 28, 2002.
One of our big concerns was how the employees would react. We knew that our managers up to senior and group vice president had approved our idea of conducting the security push, and we knew that the team commitments were on the calendar. But if the individual employees and lower-level managers weren’t on board with the idea, the process could crater badly.
Bill’s Trustworthy Computing mail appeared in the midst of this hard preparatory work. I won’t say we would have failed to get the employee engagement we needed if Bill hadn’t sent his mail – after all, we’d lived through Code Red, NIMDA, and some very embarrassing vulnerability reports against Windows XP, and developers and managers were aware of the negative customer perception. But I do know that Bill’s mail made a difference. We told developers, program managers, and testers to sit through four hours of training in a cramped (950-person) meeting room and pay attention, and they paid attention. We told them to review code and find security bugs rather than working on features, and they found and fixed security bugs. We gave them, what I know with ten years hindsight were, immature and flaky tools and processes, and they swallowed hard and used them effectively to find more security bugs. And to this day, I believe a lot of their willingness to do those things was not only because their managers said to do them, but because Bill and Craig Mundie (then Microsoft’s Chief Technology Officer and today Microsoft’s Chief Research and Strategy Officer) had said they were important to do – important for our customers and important for Microsoft.
We’ve done a lot to make our software and services more secure in the last ten years. The Security Development Lifecycle (SDL) evolved from the security push and today we’re recognized for our leadership because we share SDL process and tools with the broader software development community. But the security pushes of 2002 were the beginning. And Bill’s commitment and the way it mobilized the company were the key to that beginning.