Microsoft says it is set to raise the bar on security and expand its work in this area as the software maker marks 10 years since the introduction of its Trustworthy Computing (TwC) group.
Details of the plan, dubbed “TwC Next”, are to remain under wraps until the RSA Conference 2012 in San Francisco in February, but will include evolving privacy models and requirements, says Steve Lipner, partner director of programme management, TwC group, Microsoft.
As TwC goes into the next decade, operations will expand to focus on privacy and security in the cloud as well as other new computing models and device form factors, he told Computer Weekly in an exclusive interview.
TwC Next will also examine how industry and government can collaborate to make a more trusted internet ecosystem and seek to tackle the major trend towards targeted attacks and persistent adversaries. “This is something we, as a community, have to confront and mitigate,” said Lipner.
Microsoft is setting a course to tackle a new generation of emerging threats in much the same way it did in 2002 when on 15 January that year Microsoft chairman Bill Gates sent an e-mail memo to all employees, identifying Trustworthy Computing as the top priority.
"I believe the highest priority for the company and for our industry over the next decade [is] building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today," Gates wrote within weeks of a series of high-profile cyber attacks that, for Microsoft, came to a head with Code Red and Nimda in late 2001, says Lipner, who at the time was director of security assurance.
The memo led to all Microsoft developers receiving security training and the creation of the TwC group that focuses on secure software development practices and creating methods, tools and resources for reviewing and resolving security problems.
“A major accomplishment of the TwC group has been enthusing trustworthiness, security, privacy and reliability into the culture of Microsoft to the point where we are able to do things people believe are examples for the industry,” said Lipner.
Ever since Microsoft’s Security Development Lifecycle (SDL), which includes privacy development principles, was introduced as a company-wide initiative in 2004, it has helped set the standard for the industry, with other suppliers adopting it or building their secure development practices based on it, including Cisco and Adobe.
“The SDL and privacy standards are published on the web and there has been a lot of usage, which we think has been a real benefit of TwC to the ecosystem,” said Lipner.
Microsoft says there have been nearly 700,000 downloads of SDL tools and methodology, which is designed to apply to any platform.
SDL Agile, which is targeted at developers working on applications with shorter development cycles and works across cloud platforms, has been downloaded over 18,000 times.
Internally, Microsoft measures the benefits of the SDL in various ways, including the number of vulnerabilities identified in a product a year after its release.
In the case of Windows Vista, the first Microsoft operating system to be developed using the SDL, 45% fewer vulnerabilities were reported a year after launch than Windows XP developed before the SDL, while SQL Server 2005 had 91% fewer vulnerabilities than the pre-SDL SQL Server 2000.
“We have made progress and learned a lot of lessons, but we know we are not done. Computing is part of the fabric of society and trustworthy computing is still something we have to focus on,” said Lipner.