When I talk about Microsoft and the subject of security, it is inevitable that someone will chime in with a less than stellar remark referencing Slammer or Code Red or some other flavor of pain from history. The facts are undeniable that as a company we come to the table with a lot of baggage. That history contains moments that some might want to forget. That’s why I love working with Steve Lipner. Steve’s knowledge of MSRC and Microsoft during some of our worst days is encyclopedic in detail and incredibly candid and direct. He has been and remains a strong part of the foundation that has allowed us to even out the balance sheet a bit and has been instrumental to the progress we have made in security over the years. To this day Steve continues to provide great insight in reviewing our bulletin drafts prior to release every month and sharing his insight on the upcoming release so that I can follow-up with my team. Steve is one of a group of hard working MSFTies who have helped us get to the point where the words “Microsoft” and “security” are no longer mutually exclusive.

Last Friday, my day started with an email from Steve reminding us of a pretty significant moment in the history of our organization, the Security and Engineering Department of which MSRC is a part. Seven years ago this week Mike Howard and others in what was our then vestigial organization began training thousands of developers, testers and program managers at Microsoft on secure development practices. The overall effort has often been referred to both internally and externally as the "Security Push".  It took 2 months to train roughly 10,000 personnel, but ultimately it resulted in the release of Windows XP SP 2 and Windows Server 2003 and several other products that were a demonstrable improvement in terms of security over their previous iterations. The numbers have clearly shown over time that the methodology of SDL that has since become formally integrated into how we develop software has reduced the attack surface area of our products and made them more secure.

Now don't get me wrong. I am not swimming in the Kool Aid either.  Last time I checked, the MSRC still releases security updates every month and my team continues to receive new vulnerability reports to investigate. We still have plenty of work to do, but it is always nice to see demonstrable progress and look at how far we have come, which I believe even the most hardened of cynics can agree with. I was once one of those cynics, and as I am sure my colleagues would tell you, I still am in many ways. Being a cynic is how I ended up here - which is a story for another day.

In any case check out Steve's video here as he walks through what life in the MSRC was like prior to the "Security Push" and thank you Jason Garms, Steve, Mike Howard, and numerous others for building the foundation that lets me sleep a little more often without interruption from the pager.