By Patrick Marshall

Blog archive
Man unhappy with lemon on plate

When software development produces a lemon, make lemonade

In January 2002, Microsoft’s Bill Gates—then chairman—sent out his trustworthy computing memo, spurred by a growing wave of dissatisfaction about the security failures of the company’s operating systems and applications. As a result of past failures, Microsoft has helped to change the way we think about software development.

The late 1990s and early 2000s were difficult times in Microsoft security. A major vulnerability in the Universal Plug and Play feature of Windows XP was found just months after the release of the OS in 2001. In January 2002 the Electronic Privacy Information Center in Washington sent a letter to state attorneys general complaining of the lack of privacy controls in Microsoft’s Passport, Wallet and .Net services.

“I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting,” Matt Thomlinson, vice president of security for Microsoft, said of the impact of the XP bug in an online history Microsoft’s security initiative. “We actually had to bus in engineers, many of whom were working on the next version of Windows, from their offices around campus to the call center. We needed every person available to talk to customers and walk them through how to get their systems cleaned.”

On Feb. 1, 2002, Richard Purcell, head of Microsoft’s corporate privacy office, announced in Washington a month-long moratorium on new coding.

Gates, Purcell told the audience at a privacy and data security conference, “is really annoyed by the incredible pain we put everyone through in computing.” As a result, “we are not coding new code as of today for the next month,” he said. The company instead would spend the time going over old code as a first step in cleaning out bugs. “It’s time to get the garage cleaned out.”

Twelve years later, the Trustworthy Computing initiative is not finished, and probably never will be. David Aucsmith, senior director of Microsoft’s Institute for Advanced Technology for Governments, said recently in in Washington, “I do not believe you can create a secure computer system.”

The problem is, “we build systems far more complex than our ability to understand them,” Aucsmith said. Because we don’t know what we don’t know, built-in security inevitably will be incomplete, and software and hardware will always have to adapt to newly discovered threats and exploits. “Nothing static remains secure.”

But the Secure Development Lifecycle (SDL) that grew out of the Microsoft initiative has helped to change the way developers think about software security. The SDL process now shows up as a requirement in government procurements, and the National Security Agency says it has made an impact on OS security.

“A fundamental goal of the SDL process is to reduce the attack surface,” NSA said in an evaluation of Windows 7 security for the Defense Department and the intelligence community.  “Since adoption of the SDL process, the number of Common Vulnerabilities and Exposures on Microsoft products in the National Vulnerability Database has declined.”

“A preliminary System and Network Analysis Center analysis has determined that the new Windows 7 security features, coupled with the use of the SDL process throughout the development cycle, has assisted in the delivery of a more secure product,” the assessment concluded.

We still are a long way from being as secure as we want to be or can be. But there has been progress.

Posted by William Jackson on Mar 21, 2014 at 6:32 AM


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.