On October 9th 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised
- “Improved patch management processes, policies and technologies to help customers stay up to date and secure.”
- “Global education programs to provide better guidance and tools for securing systems.”
Within the press release, Steve Ballmer was quoted as saying,
“Our goal is simple: Get our customers secure and keep them secure,” Ballmer said. “Our commitment is to protect our customers from the growing wave of criminal attacks.”
Those of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous trustworthy computing memo penned by Bill Gates in January of 2002. The signs were clear. Microsoft was faced with a serious dilemma. Their software was riddled with security holes that were having a direct negative effect on their customer’s security, availability and privacy. In corporate IT, Microsoft had quickly go
tten its own nickname of the necessary evil. IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.
Whether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.
Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting they had a problem, but also committed to delivering on going communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.
Microsoft showed that communication and relationships are a two way street. The powerhouse eventually grew to an age where it embraced the same community of people that were responsible for finding and publicly releasing security holes in their software. Today public disclosure of serious Microsoft security holes is now the exception.
Resource planning is table stakes in the enterprise IT world. Being a cost center doesn’t help much, but IT has traditionally been underfunded and under appreciated. What is an enterprise IT or security manager suppose to do when their primary software vendor springs on them a critical security patch with do or die consequences? Historically and still the case today, a lot of ongoing projects get dropped to quickly re allocate resources to the moment’s critical security patch. Living in a world of constant interrupt is detrimental to morale completion of any planned projects.
With Microsoft’s new consistent patch release timing, enterprise IT could depend on a known schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft’s maturity model, they would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.
Microsoft also proved value with consistency in other ways. For example Microsoft took the early bold step of defining their own security criticality ratings and made the definitions public. Even Microsoft’s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.
3 cheers to Patch Tuesday. It’s the second Tuesday of each month that we both love and hate. 10 years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep their systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors like Cisco, Adobe and Oracle have followed suit. Spend just 5 minutes today and consider where you’d be today without Microsoft taking the leap 10 years ago.