That’s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers.
You know what Microsoft was doing 10 years ago?
Making really, really buggy software and watching its customers get owned left and right.
The early part of the 2000s was not a good time for the folks in Redmond. The company was taking a serious public beating for the instability and insecurity of its software, especially Internet Explorer, Outlook and Windows. VB script viruses such as I Love You, Melissa and others were running wild and large enterprise customers were screaming and pounding their shoes on the table and demanding answers from Microsoft.
And Microsoft didn’t have any.
The company had spent the last few years defending itself against the Department of Justice’s antitrust suit centered on its Windows-IE monopoly. Much of its energy and resources–not to mention money–were devoted to the case, which Microsoft ultimately lost. Then, when the dust settled and company officials began looking around to see what had been going on while they were buried in federal courtrooms for three years, what they found was something like the information age version of the angry mob of villagers with torches and pitchforks.
To say that customers were not happy would be like saying Bill Gates has some money tucked away.
As it turned out, it was Gates himself who would provide the spark that would ultimately light a fire under the thousands of developers, product managers and engineers in Redmond to make security not just a priority, but the priority.
The email that Gates sent on Jan. 15, 2002, has come to be known as the Trustworthy Computing memo and it is often pointed to as the origin of any sort of security awareness at Microsoft. But that’s not really the case. Gates’s email may have been the first real public expression of that sentiment, but some people inside the company had been thinking along those lines for some time.
The first step is admitting you have a problem, of course. But then you have to do something about it.
A few months before Gates sent his email, Microsoft held a small conference in Redmond on what it then called trusted computing, bringing in a series of software security experts to discuss the principles and concepts that are the foundation of building more secure software. There were a few reporters there and some security researchers and the fascinating thing about it was that it was not Microsoft officials preaching their ideas to the audience, but trying to learn from the assembled experts. Odd.
And well before Gates pushed the button on his email, there were people inside the company talking about the same concepts–reliability, robustness and resistance to attack–and advocating that developers build their applications around them.
In the months following the publication of Gates’s email, Microsoft began a number of painful internal changes designed to refocus its developers around the idea of building secure software. Until then, the ship-or-die mentality had reigned supreme inside the company and features and functionality were the two-headed god that every developer worshipped. The chances of a team stoppping shipment because of a security problem at that point were zero point zero zero.
But within a few months of Gates’s memo, that’s exactly what happened. The company stopped development on several major products in order to put their developers through security training. Since then, the company has developed and released a slew of software security tools and methodologies and somehow turned Microsoft from the butt of every joke in the industry into an organization that’s seen as doing it the right way.
But it wasn’t just Microsoft that began changing in those days. The turnaround initiated by the company and Gates also took hold in the wider software industry and other industries, albeit much more slowly and spottily. After Microsoft’s public declaration of the need for change, the sentiment began to spread to some of its larger customers. Then, more and more financial services firms, insurance companies, telecoms and other companies got on board, starting their own software security programs.
By the middle to latter part of the decade, Microsoft not only wasn’t the object of every joke in the security community, it was being used as an example of how to do things right, how to get your collective stuff together and fix what’s broken.
So, what Gates’s memo turned out to be was not just a directive for Microsoft developers, but a call to arms for the rest of the industry, as well. It was by no means the beginning of the software security movement. Not even close. But it was, in fact, the beginning of something different and perhaps more important: widespread acceptance that software security needed to be a top priority.
Even for Microsoft.
*Microsoft homepage image via SeattleClouds.com‘s Flickr photostream