Rumours of a substantial Microsoft security commitment have firmed up over the past month. From conversations with people closer to the company than I am, the shape of what is coming is becoming clearer.
A short update.
What is being described
From the available reporting:
A formal company-wide commitment. Bill Gates is reported to be preparing a public memo for early 2002. The memo will reportedly commit Microsoft to security as a strategic priority equal to or above features. The phrase "trustworthy computing" is being used internally as the framing.
Development pauses for security review. Multiple Windows team divisions have reportedly paused feature development to do code review and threat modelling on existing products. The duration is reportedly months, not weeks. The scale is unprecedented for Microsoft.
Mandatory training for developers. All product engineers are reportedly being required to take a security-development training course. The course covers secure coding, threat modelling, and the rationale for the commitment. The intent is to shift the developer culture, not just the specific products.
Architectural changes. Specific changes to the Windows architecture being discussed include: integrating signing into the kernel module-loading process; restricting which processes can listen on network ports; making security boundaries explicit in the API. The detail is not public; the direction is consistent with what I have been advocating.
Why my prior is shifting
I was initially sceptical (60% real / 40% rhetoric in my October post). The information arriving has been increasing my probability estimate. The specific shifts:
The internal documentation suggests genuine commitment. People I trust who are inside or close to Microsoft describe internal documents that read as serious. The internal training materials are reportedly substantial. The pause-for-review work is real, not just announced.
The market pressure has not diminished. Customer pressure has continued to build through Q3. The economic case for the commitment is the strongest it has ever been.
The leadership-engagement story is consistent. Multiple sources describe Bill Gates personally engaged with the work. This is unusual; it suggests strategic-level priority rather than departmental initiative.
The cultural framing is right. "Trustworthy computing" is the right name for the right concept. The framing emphasises operator trust in the products, which is the structural problem. Naming the framing well is a small but real signal.
My current probability estimate: 75% that the announcement when it lands is substantively real; 25% that it is sophisticated repackaging.
What I am watching for
Three things over the next 6-12 months.
The actual memo, if and when it appears. The text will tell me a lot. Specific commitments versus aspirational language; named individuals versus collective statements; concrete metrics versus vague promises. The contents will distinguish strategic commitment from PR.
The Windows XP post-launch experience. XP shipped in October with substantial security improvements baked in. The patching cadence post-launch, the discovery of new vulnerabilities, the response time — all of these are evidence about the new posture.
Specific architectural changes shipping. Several of the rumoured changes — kernel module signing, network-listener restrictions — would be visible in product releases. When they ship, I can verify the rhetoric is matching reality.
The rate of new vulnerabilities in 2002. If Microsoft is doing serious internal work on security, the rate of advisories should noticeably decrease over 12-18 months. If the rate continues at 2001 levels, the work was less effective than claimed.
What this means for operators
For anyone running Microsoft infrastructure: continue with current disciplines. The structural improvement, if real, will affect future products. The current ones continue to need vigilant patching, defence in depth, and the operational hygiene I have been writing about.
For anyone making capital decisions: a 2-3 year horizon for substantial improvement is plausible. Decisions about platform choice should reflect this — Microsoft's products may be meaningfully better in 2004; they will not be in 2002.
For anyone communicating with Microsoft: continue the pressure. The commitment is partly produced by customer pressure; sustaining the pressure helps it land.
A small reflection
I have been writing about Microsoft's structural problems for over two years. The current shift — if it is real — is the first time the company has signalled willingness to address those problems at a structural level. The conversation is not finished; the reality is years away from the rhetoric. The signal itself is, however, the strongest yet.
For the broader open-source ecosystem this is good news. A more security-conscious Microsoft raises the floor of the industry; the structural improvements at one major vendor create pressure for the others. The cumulative effect compounds.
More as the actual announcement arrives.