Analysis Sunday marks the tenth anniversary of Bill Gates's trustworthy computing memo, which made securing applications from the ground up a key priority at Microsoft for the first time.
The directive followed a period during which Redmond took a sustained shelling over the instability and insecurity of its software, especially in Internet Explorer and Outlook, highlighted by the damage caused by high-profile malware outbreaks such as the rampaging Love Bug, Melissa and Nimda nasties.
The memo came after Microsoft had spent years fighting the Department of Justice's antitrust suit that centred on its Windows monopoly, in particular the bundling of IE with Windows, and two years after Redmond embraced web services with the launch of .Net.
The perception of insecurity was a problem for Microsoft as it weakened attempts to push its servers and associated applications into data centres, as well as nobbling its fight against Linux as a web server platform. It was hard for the Microsoft spindoctors to sell their products as reliable and always available if the software was easily susceptible to attack.
Gates's memo sought to tackle concerns about the security and reliability of Windows as well as addressing more general concerns about privacy and Microsoft's business practices more generally. As in so many fields of computing, the idea of trustworthy computing was coined years before Redmond latched onto the concept and began running with it.
In the wake of the missive, the corporation's developers boned up on the latest secure coding techniques. Microsoft attempted to emit products that were secure by design and by deployment. After regarding security researchers with an attitude approaching disdain, at best, the company became far more approachable, responsive and communicative. It has also worked with law enforcement agencies on botnet takedowns and other initiatives.
Notable achievements include adopting a security-focused lifecycle for software development and enabling the Windows firewall by default, something that eventually belatedly put pay to the spread of Blaster and Sasser worms.
Some things never change
Those measures were only put in place two years or so after the original trustworthy computing memo was issued on 15 January 2002. Ten years on and Windows malware is just as big a problem as it ever was and one of the key goals of the whole initiative - resilient computer systems - remains a long way off.
There have also been missteps and set-backs along the way, most notably the hated UAC (User Account Control) nagware that debuted with Windows Vista. Other demerits include Redmond's delayed guillotining of Autorun, which was only dropped from older versions of Windows years after it became a leading vector for malware infestation.
On the other hand, concerns about the security of Microsoft's applications have slowly abated while Adobe apps and Java have become the chief target of many hacking techniques. Privacy fears regarding Microsoft have been overtaken by sharper concerns over Google and Facebook.
While it has hardly been a resounding success, Microsoft's trustworthy computing initiative has made a positive impact on the industry and, to Redmond's credit, continues to produce fresh initiatives. For example, Microsoft is readying plans to provide a real-time threat intelligence feed, a move welcomed by security experts. The proposed free-of-charge service will distribute threat data from captured botnets and other sources. Redmond's security staffers are in the process of testing the service, Kaspersky Labs Threatpost reports.
Ten years ago Microsoft was the butt or punchline of security-themed jokes. A decade later it is seen as an engaged partner and even a security leader, whose example other IT giants (hello Apple and, yes, Oracle) would do well to follow. ®