Editor’s Note: This is a guest post from Rich Mogull, founder of Securosis LLC, an independent security consulting firm. Prior to founding Securosis, Rich was a leading analyst at Gartner. He has 12 total years of experience as a security analyst.
Depending on your age, you might remember when the U.S. Hockey dream team won the 1980 Olympics, the first moon landing, or where you were as we entered the new millennium.
Me? Well, aside from some of those items, I'm chagrined to admit I remember when Bill Gates' Trustworthy Computing Initiative memo was released to the public. Not that there's anything wrong with that; depending on how you feel about certain levels of security geekery.
Unlike some other people I expect to be writing about Trustworthy Computing’s 10th anniversary this week, I wasn't an employee at Microsoft when the memo was released. At the time, I was working as an analyst at Gartner, and I was one of the people who contributed to the initial analysis. If I remember correctly, the analyst relations and PR people we talked with at Microsoft weren't overly thrilled with our first take, but weren't calling it too unfair (in public - privately they may have been burning us in effigy, although I doubt it). (Mostly.)
The short version of our initial reaction was something along the lines of, "this is a great idea if they actually do it, but it will take years before the results show up in products".
Personally, I was skeptical yet hopeful. At the time, the world had never seen a software vendor change gears so dramatically on security, never mind one with the scope of Microsoft. On the other hand, we were sort of collectively in a steaming pile of pudding if Microsoft couldn't pull this off. I did think Bill was committed and meant what he wrote; the question was whether such a large company could spin on such a tight pinhead and move into a direction so few had traveled.
In interviews at the time, I said it would take one to three years to see if anything was changing, and at least three to five years for real changes to impact customers. Maybe even closer to five to 10. Why? Because not only would Microsoft have to clean up millions of lines of code and improve development of upcoming products, they would then have to release said products and users would have to, you know, buy and install them.
The first big public test of the TWC and SDLC for me was the release of SQL Server 2005 - one of the first major products completely revamped and developed from the ground up to be secure. The result? It was years before the first disclosed vulnerability, and the product family line runs far fewer vulnerabilities than any competing platform.
It's now 10 years later and I don't think any reasonable person could argue TWC hasn't had an impact both inside and outside of Microsoft. Products improved, but more importantly the words "secure development" transitioned from "academic exercise", through "joke", into "process". Few major software companies or online services release products without at least some degree of security testing, and companies make the front page of major newspapers when they forget to deploy with default security on popular platforms.
The TWC initiative clearly isn't solely responsible for all of these advances, but the role of that memo and the commitment to follow it can't be denied.
But the story is far from over yet. Flash forward to this morning - I woke up, checked e-mail, and lost an hour of my day to helping a close friend infected with scareware. He was running Windows XP which, despite being updated with service packs and protected with current antimalware, is still a 10 year old operating system. It's the fourth call like that I've had in the past few months, all running antiquated operating systems, despite ready availability of far more secure and modern alternatives.
Plus, even cursory skimming of vulnerability reports shows we are a long way from secure development being the default within the development community. The next (current?) major challenge for operating system vendors is securing the OS from the very applications running on it.
We're 10 years in. The software world is dramatically different, but we are still only at the start of a very long trip.