Tenth Anniversary of Gates Trustworthy Computing Memo

Friday, January 27, 2012

Fergal Glynn


January 15th was the 10th anniversary of Gates Trustworthy Computing memo.

The effects of this memo have already been discussed on Threatpost, so I thought it would be interesting to take a different angle on commemorating this event – Where were you on 1/15/2002?

I asked a mixed group of my colleagues at Veracode to answer this question. The group has a wide age range, and come from many different backgrounds. Some of the answers are really funny! I hope you enjoy!

Chris Wysopal was managing the research team at @stake, a security consulting company with a strong focus on application security. The day before Jan 15th he was on the campus at Microsoft for a sales presentation pitching @stake’s application security services to Microsoft along with fellow @stake technical leaders, Window Snyder (now at Apple) and Frank Swiderski (now at Google).

@stake would go on to provide application assessment services: threat modeling, code review, application penetration testing, for many Microsoft products. Within two months of the Trustworthy Computing memo @stake had their “A Team”, including Christien Rioux (now at Veracode), Chris Eng (now at Veracode), Chris Wysopal, Frank Swiderski, Window Snyder, and Dave Aitel (now at Immunity) assessing the first product at Microsoft to embed application security practices into the SDLC, Microsoft IIS 6.0.

Chris Lytle was in high school at the time. Chris guesses that most of what he was doing was trying to get a date with the cute middle on the volleyball team. Outside of sports and dating, Chris was spending time trying to get Linux running on his dad’s old work laptop and passing CDs of cDc textfiles around school.

Ben Greenwald was in graduate school at MIT, working with the MIT Computer Architecture Group on the RAW Microprocessor Project, one of the first compiler coordinated multi-core processors. The group was in heavy hardware design testing mode using both software and hardware (FPGA) simulation in preparation for fabricated the chip later that year in what was then IBM’s brand new 0.15 micrometer, 6 copper metal layer ASIC process.

Fergal Glynn was working at Fidelity Investments and being introduced to Application Security testing by Ryan O’Boyle and consultants from @stake and Foundstone. Ryan was teaching Fergal how to use network scanners, how source code analysis works, and how to manually review code for security issues.

Melissa Elliott was in grade school, and as yet completely unaware of the world of computer security that would eventually become her night and day. Her biggest “hack” was attempting to patch the boot logo in Windows 2000, not realizing that it was using a patcher for Windows XP. Oops. When she noticed a few years later that she was the only person she knew whose Windows machine had never been trashed by a virus (bricking NTDLL doesn’t count), she realized that security was just as much about user education as it was about technology.

In Kevin Dunn’s own words: “When I think of 2002, I think of 0days and how it seemed like the heart of the AppSec Gilded Age with its creation of an expanded software security economy. Of course, that reflects a significant amount of personal nostalgia, but at @stake in 2002, we were young and wild and free; and the world’s software was “target rich”, to say the least.

Every project was exciting and the findings were devastating. If you didn’t crack the product or environment completely wide-open, and I mean wide-wide-open, then you had failed (a true professional failure, worthy of peer admonition – not a modern day ‘FAIL’ :> ). The browsers, web servers, proxy servers, application servers, and databases of the time were just starting to get their act together, but they were still riddled with holes and if you knew where to look, you could find them.

We even had a demo website that could activate your microphone and stream back the audio without the user ever having a clue. No matter the browser, we could hear you. A global spy network just waiting to be activated. Hrm, the more I reflect on 10 years ago, the more it seems like 10 days ago. It’s just that now, there’s an app for that.”

Captain @stake Steve Roge was selling manual code reviews to Fidelity for $150 per hour and every consultant who worked on the project hated him because they didn’t want to sit in a cube with a pencil reviewing code line by line. Steve believes this was the shift when folks like Fidelity started to look for automated solutions because they wanted to go deeper and broader on their application inventory and knew angry consultants wouldn’t scale.

Chris Eng was a security consultant at @stake, delivering web application penetration tests and product security assessments for large enterprises and ISVs. On the date in question, he was pen testing a network appliance, poking around at WebSphere bugs, and gearing up for a product assessment at Macromedia (now Adobe). The interesting thing about that assessment was that we were testing against a beta version of the product. So while many companies were still doing all their security testing post-release -– or not at all -– Macromedia already understood the value of pushing security further back into the SDLC. This was pretty rare at the time.

Tim Jarrett. On January 15, 2002, I was in business school and had just accepted a job offer from Microsoft. At the time it was a very different company–hip deep in the fallout from the antitrust suit and the consent decree; having just launched Windows XP; figuring out where it was going on the web (remember Passport)? And the taking of a deep breath that the Trustworthy Computing memo signaled was the biggest sign that things were different at Microsoft.

And yet not. It’s important to remember that a big part of the context of TWC was the launch of .NET and the services around it (remember Passport)? Microsoft was positioning Passport (fka Hailstorm) as the solution for the Privacy component of their Availability, Security, Privacy triad, so TWC was at least partly a positioning memo for that new technology. And it’s pretty clear that they hadn’t thought through all the implications of the stance they were taking: witness BillG’s declaration that “Visual Studio.NET is the first multi-language tool that is optimized for the creation of secure code”. While .NET may have eliminated or mitigated the security issues related to memory management that Microsoft was drowning in at the time, it didn’t do anything fundamentally different with respect to web vulnerabilities like cross-site scripting or SQL injection.

But there was one thing about the TWC memo that was different and new and that did signal a significant shift at Microsoft: Gates’ assertion that “when we face a choice between adding features and resolving security issues, we need to choose security.” As an emerging product manager, that was an important principle for me to absorb–security needs to be considered as a requirement alongside user facing features and needs to be prioritized accordingly. It’s a lesson that the rest of the industry is still learning.

Tyler Shields had left a dot com startup in the fall of 2001 and was in transition to a consulting career with @stake on January 15, 2002. On the specific date that the memo was released, Tyler was employed by a large national security consulting firm and was embedded within the United States Postal Service. Tyler was conducting incident response and forensics engagements on one of the worlds largest networks. Incident response was a mix of constant preparation and occasional frantic engagements. It felt way too responsive.

The Trustworthy Computing Memo motivated Tyler to begin a transition, from incident response and forensics, to application security related research. In Tyler’s eyes, it was becoming clear that secure code was going to be the key to a secure future. At the end of the day, exploits, flaws, vulnerabilities, and security issues generally trace back to an error in code. Attacking the root cause of the problem would provide the most return on the security problem that was rapidly developing. Tyler joined @stake in the fall of 2002 and helped them become the premier application consulting company of the 2000s.

Mark Kriegsman. By January 2002, I had sold my Internet startup (Clearway Technologies), and I was looking around for what I thought the Next Big Thing would be. Within a couple of months, I would join Christien at @stake, shaping and building “SAF”, which would it turn become Veracode’s flagship offering in static binary testing. Given the successes of the last ten years, I’d say “AppSec” was indeed the Next Big Thing!

Christien Rioux was working at @stake, starting the CVS repository for the reboot of the ‘undeveloper studio’ project that he had been working on for two full years already that came to be known as ‘SAF’, the ‘Software Analysis Framework’. Christien was just given clearance by the CEO to hire his first two developers, Mark Kriegsman and Dan Garcia, both of whom have remained either fully or partly employed by Veracode ten years later. Christien had hair and it was blue!

Where were you 10 years ago? We’d love to hear your stories – add them to the comments section.

Cross-posted from Veracode Blog

Possibly Related Articles:
Information Security
Microsoft Enterprise Security Software Secure Coding Network Security Security VeraCode Chris Eng Gates Trustworthy Computing memo Fergal Glynn Chris Wysopal Bill Gates
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.