Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft’s security push on EMC and on the industry as a whole.
Bill Gates’ memo was an important milestone in the history of software security: Microsoft, a major technology provider, stepped up to the plate to consider alternative methods to patching for fixing the security of a product. Coincidently, 2002, was also the year when I joined EMC and started EMC’s product security practice. I can assure you that Microsoft’s push has had a tremendous influence on EMC’s and many other technology companies’ direction for product security.
At that time, EMC was mainly a storage company with a much smaller target on its back than Microsoft. It gave us time to learn from Microsoft and from others what was working and allowed us to design an approach to product security custom made for EMC’s internal culture and the need of our customers:
- We created a prescriptive standard for product security based not only on the most common software security mistakes, but also on the needs for regulatory compliance of our customers. It describes the security activities EMC product organizations are expected to perform during product development and the security features they are expected to build into their products in order to release both attack resistant and compliance friendly products.
- We created our own Security Development Lifecycle (SDL), with activities similar to the one in Microsoft’s SDL, but adapted to meet our needs. When we started rolling out our SDL in 2006, enough standards such as MITRE’s CWE or commercial tools such as Static Code Analysis tools existed that we did not have to invent our own!
- We also innovated: We integrated software supply chain security considerations in our SDL and we created our own approach to threat modeling. Instead of considering an infinite number of threats that can apply to a system, we compiled a threat library and applied these threats to components in a dataflow diagram. We documented our approach to threat modeling an article published by IEEE Privacy & Security Magazine and entitled “Developer-Driven Threat Modeling: Lessons Learned in the Trenches”.
Microsoft’s early push for software security and their willingness to document and share their approach with the rest of the industry was key in EMC’s early successes in product security. Just like Microsoft, we believe in the need for the industry to collaborate in this field. In 2007, EMC joined forces with Microsoft and other technology leaders to create SAFECode with the goal of sharing our secure development practices with the rest of the industry.
The tenth anniversary of Bill Gates’ Trustworthy Computing memo is a great opportunity to acknowledge Microsoft’s contribution to the field and to remind all of us to continue the push to make software security an inherent part of software engineering.
Happy Anniversary Microsoft!