Anniversaries are often a time to reflect on the past but also to look to the future. A major anniversary in the field of computer security was reached on the 15th of January this year. That date marked the 10th anniversary of Bill Gates' famous memo marking the start of Microsoft's Trustworthy Computing Initiative. For those of us who were around in 2002 we remember Microsoft was taking a lot of criticism, and rightly so, for the lack of security in their products. That memo would mark a major milestone in computer security. The demand from customers was high to address the lack of security in Microsoft's products, so it was important at the time that Microsoft were seen to be taken action in the area of computer security.
Ten years later it is evident that Microsoft has upped their game in the area of IT security. Many of their products are more secure by design rather than have security bolted on as an afterthought. While there are still security bugs in those products, there are arguably much less than if the Trustworthy Computing Initiative had not been launched. Microsoft also now provides many resources relating to security, many of them free. And while system administrators look with dread at the first Tuesday of each month on their calendar, Microsoft's patch management strategy is regularly cited as an example for other organisations to follow.
So here we are, one decade later yet we still we read headlines about various organisations being compromised or major vulnerabilities found in software products, systems and websites. Many would argue that this demonstrates the Trustworthy Computing Initiative failed and that it was simply a public relations exercise. But is that really fair? Can we in all honesty keep pointing the finger at Microsoft and blaming our security woes on the one vendor?
In Secunia's 2010 annual report they highlight that over 69% of software vulnerabilities on the Windows platform are in third party applications. If we look at some of the major breaches in the past 12–18 months, such as Sony, RCA and Google, major contributory factors were lack of user security awareness and/or unpatched or out of date systems.
Ten years ago Microsoft's CEO committed his organisation to improving the security of his organisation. I say that at this milestone let us all take a brief moment to reflect on what we can do to instigate a Trustworthy Computing initiative in our own organisations. Some steps to do this could be:
- Get full management support to information security. Not just a memo to staff but active engagement with information security. For example, when was the last time your CEO attended a security awareness session?
- Have you got security requirements built into your standard request for tenders template? The OWASP Legal Project provides an excellent resource to include in vendor software contracts OWASP Secure Software Contract Annex
- Are your developers aware of the OWASP Top Ten Project? Are they aware of other secure development initiatives such as the SANS Institute's Top 25 Most Dangerous Software Errors or the SafeCode project?
- Are you aware of the SANS Institutes Twenty Critical Security Controls and have you implemented any of them?
- Have you implemented a standards-based Information Security Management System such as one based on the ISO 27001:2005 Information Security Standard?