On December 7th, 1995 something extraordinary occurred at Microsoft. For years our primary focus for software development had centered around narrowly scoped features that centered around the isolated experience of the personal computer. To the extent connected experiences mattered it was always in the context of corporate networks. The idea of a personal network in a home connected to a giant world-wide network of computers wasn’t a scenario that factored into our planning.
Until that day. On that day a memo from Bill Gates to the entire corporation arrived in my inbox. It laid out in precise terms how we’d come late to the game on the Internet experience and we would now be focusing all of our energy on it. It was a galvanizing event. A ship as big as Microsoft turned overnight.
The power of such a memo is easily diluted. If used too often it loses the effect. If used for small issues it can lead to too much energy being applied to something. Bill didn’t send another memo of its like for a while, but when he did it had the exact same effect.
On January 15th 2002 Bill sent a memo to all employees entitled “Trustworthy Computing.” In it, he articulated the case to pivot all our efforts in creating what was then the .NET platform to lead something he termed “Trustworthiness in Computing.” Casting computer security against the industry and the world at large (including the terrorists attacks of 2001) Bill laid out key pillars of this effort: Availability, Security, and Privacy. He tied the impact that a security vulnerability has to trust in Microsoft and our products. He then made what I believe was the most fundamental change in our development methodology that would achieve the goal of more secure software:
“So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”
The greatest impact of that memo is that I see younger people today in the industry read that line and shrug and say “well of course.” But the computer industry was very different at that time. People rushed to focus on features first, not just at Microsoft but other companies as well. In general, my experience with software developers across the industry in the late 90’s was that security audits were routinely seen as a “tax” on development, and anyway if someone exploited a bug as an attack then that’s a crime and the law should handle it.
Bill’s memo transformed overnight the mindset of our development to think as much about misuse of features as use of them. That security was a fundamental aspect of software quality.
Today, security is at the forefront of software development. Computer security is very much a journey, not a destination; much remains to be done. But I look at the world of software and development today and I see a much different world than in 2002. It’s fair to say that much of it started with a memo from Bill Gates on January 15th. Great work is still occurring every day, and to celebrate an amazing ten years the Trustworthy Computing team has made a special post, you can read about it here.