andrew_stormsOn Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community.  Ten years ago, the program was announced with a press release that promised

  • “Improved patch management processes, policies and technologies to help customers stay up to date and secure.”
  • “Global education programs to provide better guidance and tools for securing systems.”

Within the press release, chief executive officer Steve Ballmer said: “Our goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.”

Those of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous Trustworthy Computing memo penned by Bill Gates in January 2002.  The signs were clear.  Microsoft was faced with a serious dilemma.  Its software was riddled with security holes that were having a direct negative effect on its customers’ security, availability and privacy.  In corporate IT, Microsoft had quickly gotten its own nickname of “necessary evil.”  IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.

Whether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.

For starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships.  No one likes to admit they have security problems.  Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.

Microsoft showed that communication and relationships are a two-way street.  The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software.  Today public disclosure of serious Microsoft security holes is now the exception.

Also, resource planning is table stakes in the enterprise IT world.  Being a cost center doesn’t help much, but IT has traditionally been underfunded and underappreciated.  What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences?  Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment’s critical security patch.  Living in a world of constant interruption is detrimental to morale completion of any planned projects.

With Microsoft’s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly.  The monthly patching cycle soon became better known as Patch Tuesday.  Later in Microsoft’s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.

Microsoft also proved value with consistency in other ways.  For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public.  Even Microsoft’s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon.  Security people like repeatable and dependable systems.  Microsoft delivered just that.

Three cheers to Patch Tuesday.  It’s the second Tuesday of each month that we both love and hate.  Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure.  At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit.  Spend just five minutes today and consider where you’d be today without Microsoft taking the leap 10 years ago.

Andrew Storms is the Director of DevOps for CloudPassage.

Categories: Microsoft