Happy Anniversary to Microsoft Trustworthy Computing Initiative

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft’s security push on EMC and on the industry as a whole.

Bill Gates’ memo was an important milestone in the history of software security: Microsoft, a major technology provider, stepped up to the plate to consider alternative methods to patching for fixing the security of a product. Coincidently, 2002, was also the year when I joined EMC and started EMC’s product security practice. I can assure you that Microsoft’s push has had a tremendous influence on EMC’s and many other technology companies’ direction for product security.

At that time, EMC was mainly a storage company with a much smaller target on its back than Microsoft. It gave us time to learn from Microsoft and from others what was working and allowed us to design an approach to product security custom made for EMC’s internal culture and the need of our customers:

  • We created a prescriptive standard for product security based not only on the most common software security mistakes, but also on the needs for regulatory compliance of our customers. It describes the security activities EMC product organizations are expected to perform during product development and the security features they are expected to build into their products in order to release both attack resistant and compliance friendly products.
  • We created our own Security Development Lifecycle (SDL), with activities similar to the one in Microsoft’s SDL, but adapted to meet our needs. When we started rolling out our SDL in 2006, enough standards such as MITRE’s CWE or commercial tools such as Static Code Analysis tools existed that we did not have to invent our own!
  • We also innovated: We integrated software supply chain security considerations in our SDL and we created our own approach to threat modeling. Instead of considering an infinite number of threats that can apply to a system, we compiled a threat library and applied these threats to components in a dataflow diagram. We documented our approach to threat modeling an article published by IEEE Privacy & Security Magazine and entitled “Developer-Driven Threat Modeling: Lessons Learned in the Trenches”.

Microsoft’s early push for software security and their willingness to document and share their approach with the rest of the industry was key in EMC’s early successes in product security. Just like Microsoft, we believe in the need for the industry to collaborate in this field. In 2007, EMC joined forces with Microsoft and other technology leaders to create SAFECode with the goal of sharing our secure development practices with the rest of the industry.

The tenth anniversary of Bill Gates’ Trustworthy Computing memo is a great opportunity to acknowledge Microsoft’s contribution to the field and to remind all of us to continue the push to make software security an inherent part of software engineering.

Happy Anniversary Microsoft!

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize