Microsoft: More secure but mission not over

A decade ago Microsoft embarked on the Trustworthy Computing Initiative to restore customers' trust in its products. For the most part, it's succeeded

In January 2002, Microsoft chairman Bill Gates kicked off the software maker's Trustworthy Computing Initiative with a companywide memo, telling employees "there are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level -- from the way we develop software, to our support efforts, to our operational and business practices."

Security problems continue to plague users and corporate customers in the software industry as a whole, but Microsoft has made great strides and set the standard in many aspects of how software should be designed, developed, secured, and supported.

Microsoft did not take the first steps on this road willingly; the software giant was pushed and prodded by hackers, security researchers, and virus writers. In 2001 the double blow of the Code Red worm and Nimda convinced Microsoft that efforts to secure its products were not working.

"Sadly, the only time when technology companies do things to improve security is when they have enough black eyes -- that's what happened with Microsoft," says Marc Maiffret, chief technology officer for eEye Digital Security and one of the original analysts who reverse-engineered the Code Red worm.

Soon after the company announced its Trustworthy Computing Initiative, the Slammer worm struck, infecting 90 percent of vulnerable servers running Microsoft SQL server in less than 10 minutes, according to a report at the time. Later that year, the MSBlast or Blaster worm reminded the company again of the importance of security: More than 25 million PCs were eventually infected with that worm.

"It was the turning point for us," says Tim Rains, director with Microsoft Trustworthy Computing. "We had already started getting serious because of SQL Slammer, but Blaster was the one that really galvanized the entire company.

Secure development lifecycles, modern software patching and updates, and the general availability of software security features -- such as data-execution protection and address space layout randomization -- are features of all modern operating systems, in part because of Microsoft's quest to secure Windows and its other software. While the company did not invent most of the technology, it did refine important pieces and made them standard business practice.

The results can be seen in recent data. In December, for example, Microsoft published a tally of all the vulnerabilities released since 2004, when the company started tracking the criticality of the flaws in its software. Since 2006, with the exception of one year, the number of vulnerabilities rated critical in the company's software has declined on a relative basis. Last year the company had the lowest number of critical-rated vulnerabilities since 2005.

The company still has a ways to go, in part because of its backwards compatibility with older -- and less secure -- products and standards. Computer viruses, Trojans, and spyware continue to be a problem, but mostly because the criminals have evolved their techniques and can routinely fool a small number of users into running a malicious program.

Compared to the software industry as a whole, Microsoft has created an enormous amount of trust in the past decade. By that measure, the initiative has been a success.

This story, "Microsoft: More secure but mission not over," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.