On Jan. 15, Gates issued an email memo that marks a third landmark shift, this one an all-out effort to make security job one.
I can sense the skepticism in the air, but I've seen the memo and I believe Gates really gets it. Whether he will be able to translate his vision for "Trustworthy Computing" to his legions of developers is another question, but I don't see how this initiative can be anything but positive for security professionals and the public in general. (Full disclosure: As an independent writer and editor, I do work for publications funded by Microsoft, but this Web site isn't one of them.)
"There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level from the way we develop software, to our support efforts, to our operational and business practices," Gates wrote. "As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
That's an important point, as it shows that Gates recognizes security begins with writing secure code. In the past, Microsoft was clearly more interested in getting products out the door quickly than in making sure they were secure. It appears this is about to change.
"Now, when we face a choice between adding features and resolving security issues, we need to choose security," he wrote.
The logical question that statement raises is, "How?" How do thousands of programmers who are used to writing code with features and functionality as their primary concern suddenly change course and think of security above all else?
That point is not addressed in the Gates memo, but reports published in The New York Times and elsewhere suggest Microsoft is going to call a massive time-out, until all its programmers are schooled in secure coding.
"The new emphasis on making software safe from malicious intruders will include stopping the development of new operating system software for the entire month of February and sending the company's 7,000 systems programmers to special security training," according to the Times. I hope that's true, as that is exactly the kind of investment we need to turn the security tide. It makes far more sense to invest dollars in teaching secure programming techniques than it does to spend those same dollars cleaning up after virus attacks.
Gates also seems to finally be on board with an idea security professionals have known for some time: Services that make a system potentially vulnerable should be turned off by default, not the other way around, as has typically been the Microsoft way.
"Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve," Gates wrote.
Gates' Trustworthy Computing vision also goes beyond security, to address availability and privacy as well. Indeed, these three disciplines should go hand in hand, as security breaches result in availability problems as well as privacy concerns.
Last fall, Microsoft took its first big step toward addressing its security problems with the launch of its Strategic Technology Protection Program, which is largely intended to help customers ensure they are patching all known vulnerabilities in Microsoft products. The Trusworthy Computing initiative is a logical next step, as it is intended to ensure that fewer vulnerabilities find their way into those products to be begin with.