Gates Explains How Microsoft's Trustworthy Computing Initiative Is Going

by Timothy Prickett Morgan

It's not everyday that I get an email from Bill Gates, chief software architect and chairman of Microsoft, but it looks like it might be happening from time to time. Like many people last week, I got an email from Gates to discuss at length Microsoft's efforts to improve the reliability and security of its products, which come under the Trustworthy Computing initiative at Microsoft. Gates and the top brass intend to use email as a means of reaching out to the Windows community to talk about Trustworthy Computing and other important issues.

Back in February, Gates sent out a lengthy memo to all Microsoft full-time employees outlining his view from the top on the security of Microsoft's products as well as for those of other vendors, and committing Microsoft to making security the number-one priority of the company. This is the essence of Trustworthy Computing, which Gates says is one of those company-wide initiatives that define what Microsoft will be concentrating on for the next few years. To drive the Trustworthy Computing message home, Microsoft hired Scott Charney, the principal partner at PricewaterhouseCoopers' cybercrime prevention and response practice, to become the company's chief security strategist. Charney worked at the U.S. Department of Justice as chief of the Computer Crime and Intellectual Property Section of the Criminal Division and was an assistant district attorney in Bronx County, New York, where he was ultimately promoted to the position of deputy chief of the investigations bureau.

Trustworthy Computing is about more than hiring a security expert and admonishing programmers to do a better job in implementing security measures and better coding practices in the applications that Microsoft produces. For any quality control initiative to work, no matter what product or service a company sells, support has to come from the top down so real change in how things work can be accomplished. That is why Gates has not only been giving Trustworthy Computing a lot of lip services since February, but why he has been instructing Microsoft's 50,000 employees to take a step back, look at how they do things, and change them to be more consistent with the new Microsoft vision of products that focus more on good coding practices, reliability, and security rather than on feature creep.

If you didn't get the email from Gates talking about Trustworthy Computing, you can read it by clicking here. Within this email, there is a link to subscribe to future Trustworthy Computing updates, which is http://register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155.

The main thing that Microsoft did first in the Trustworthy Computing initiative was to freeze all application development on many of Microsoft's core Windows operating systems to take a hard look at the code in its products to examine how unreliable and insecure code gets into Windows in the first place. The development work of 8,500 software engineers was put on hold a few months ago as part of this review, which Microsoft initially figured would only take a month. As it turned out, the review took almost two months and cost the company a whopping $100 million. Gates said that code reviews and security training for the developers who work on the Office suite and on the Visual Studio .NET tool are being undertaken now, and that other applications are in the process of being reviewed.

Microsoft has lofty goals for the Trustworthy Computing initiative, and Gates outlined them in his email:

• Making software code more secure and reliable. Microsoft developers have tools and methodologies that will make an order-of-magnitude improvement in their work from the standpoint of security and safety.
• Keeping ahead of security exploits. Distributing updates using the Internet so that all systems are up to date. Windows Update and Software Update Services, discussed below, provide the infrastructure for this.
• Early Recovery. In case of a problem, having the capability to restore and get systems back up and running in exactly the same state they were in before an incident, with minimal intervention.

Gates says that the process by which Microsoft develops applications has changed, in all phases of the development cycle. Microsoft has also introduced new management tools and services to improve the process by which errors in operating systems and applications get reported to Microsoft and by which customer software is kept up to date to make them more secure. While Gates promises that Microsoft will do its part to make Trustworthy Computing an approach to creating applications, not just PR, he says that customers have to do their part. Specifically, he is asking customers to activate the error reporting features in Windows XP and Office XP, to use Windows Update to keep their machines current, and to use Software Update Services and Baseline Security Analyzer (security management tools created for commercial Windows customers) to keep their machines up to date.

Sponsored By ASNA

Why Barnes & Noble Uses ASNA Visual RPG for Development: Barnes & Noble needed to design a new system with a Windows appearance, but utilize their AS/400 database and the RPG development staff. The developers were able to create a new Windows application with the look and feel of a true Windows environment, and develop it in a language they were all familiar with. In doing so, they were able to transform from green-screen programmers into Windows programmers and they now have the knowledge of Visual programming with exposure to object oriented programming. "ASNA Visual RPG provides experienced RPG programmers with the ability to create GUI-based applications easily with minimal formal training." —Yuriy Khaykin, Barnes & Noble ASNA Visual RPG (AVR) for Web, Windows and .NET Development ASNA Visual RPG (AVR) is an integrated development environment for creating enterprise Web, Windows and .NET applications. Transparent database access; an integrated editor, compiler and debugger; support for emerging standards such as XML and SOAP; and equally powerful Web or Windows deployment possibilities make ASNA Visual RPG the one application development environment you can't afford to ignore! Use your RPG skills to develop Web, Windows and .NET applications today. Download your FREE trial of AVR today! http://www.asna.com/downloads.asp