I have to admit it, I’m proud of Microsoft. After taking a beating for many years, Microsoft has gotten security right. It’s embedded in their development lifecycle and their update strategy has become a de facto standard. Many companies now provide regular patches and have made it easy for end users to ensure their applications are up-to-date.
Ten years ago on January 15, 2002, Bill Gates released a historical memo announcing the new strategy of “Trustworthy Computing.” This required security to be a priority and that secure practices be embedded throughout the development and maintenance of their products. This started a history of openness for Microsoft on many security initiatives. You can view the history of Trustworthy Computing at http://www.microsoft.com/about/twc/en/us/history.aspx.
Even though they don’t share their source code, they do share many other things such as their Security Development Lifecycle. This is the process for assuring that security is considered as an application is being developed. Microsoft requires their developers follow this process and understand the concepts of developing secure products. In my opinion, all development efforts should have this requirement, but it seems that it continues to be lacking.
Also part of the Trustworthy computing initiative started ten years ago is Microsoft’s update strategy. Initially, patches were released as they were ready. That caused problems for systems administrators, so Microsoft decided to roll out patches once a month on the second Tuesday. That practice continues today. To ensure there are no surprises, Microsoft even provides advanced notification a week before, which provides a high-level overview of what to expect. The Microsoft Security Bulletins page (http://technet.microsoft.com/en-us/security/bulletin) shows current and past updates.
Microsoft, you’ve come a long way baby. You are a leader who has taken their role seriously and provided many good products, resources, and references. You continue to live and breathe Trustworthy Computing. I just hope you can keep it up.
- History of Trustworthy Computing: http://www.microsoft.com/about/twc/en/us/history.aspx
- Microsoft Security Development Lifecycle (SDL): http://www.microsoft.com/security/sdl/default.aspx
- Microsoft Security Bulletins: http://technet.microsoft.com/en-us/security/bulletin
- Microsoft Safety & Security Center: http://www.microsoft.com/security/default.aspx