Microsoft briefly stopped Windows development in February 2002 to focus on security

In the late 1990s and early 2000s, Microsoft's software products didn't have as good of a reputation as it enjoys today. That was especially true of its Windows operating systems, which were big targets for cyber criminals. One example was the "Code Red" virus in 2001 which infected over 200,000 Windows PCs in two weeks.

In January 2002, Microsoft co-founder Bill Gates issued a memo to all of the company's employees. It offered up Gates' vision of what he called "Trustworthy Computing". Gates felt that Microsoft should work to make "computing that is as available, reliable and secure as electricity, water services and telephony."

That memo was the beginning of an effort by the company to release products that are as safe to use as possible. This week, Microsoft posted up a new and extensive feature about how it made a turnaround in developing safer software and services. The article, "Life in the Digital Crosshairs" contains some little known information about the early days of this effort to increase security in software.

One interesting tidbit is that in February 2002, one month after Gates' memo, the company decided to stop development of Windows briefly to focus its software developers on security. The article states:

Everyone was given training to outline expectations and priorities — threat modeling, code reviews, available tools, penetration testing — all designed to modify the default behavior of the system to make it more secure. Their room at the Microsoft Briefing Center was filled to its 950-person capacity twice a day for five days ... 

This phase ended up lasting two months but Microsoft wasn't over yet. In 2004 the company launched what it calls the Security Development Lifestyle (SDL), a new process of creating software that put security as a top priority. Other companies such as Cisco and Adobe have since used Microsoft's SDL as a process to create their own software.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Nokia rumored to hold press event April 19th

Next Story

Mozilla wants to make web pages load faster with new JPEG encoder

39 Comments

Commenting is disabled on this article.

This was part of the surge of broadband adoption and always-on internet that lead to many exploits being spread at the time. They had no choice but to address this, these issues were showstoppers.

If you look at the Beta of the Windows that was to come after XP, it's UI looked exactly like Windows 7. MS postponed this to work on Windows Security. For the first time, a Server version of Windows was released before its workstation counterpart. Windows Server 2003 R2 was the Foundation for Windows Vista.

Why are we talking about this again is what I want to know?!

Hi_XPecTa_Chens said,
If you look at the Beta of the Windows that was to come after XP, it's UI looked exactly like Windows 7. MS postponed this to work on Windows Security. For the first time, a Server version of Windows was released before its workstation counterpart. Windows Server 2003 R2 was the Foundation for Windows Vista.

Why are we talking about this again is what I want to know?!

Where are you getting this information? Windows Vista was in development before Windows Server 2003 R2.

After all this I am so thankful I've really never gotten a virus. Except maybe last month during a regular process check I found some weird program that was a 'non existent process' and was using up more than Explorer . Would this be a virus? I would say yeah?

Fast forward to 2014, twelve damn years later we are still nowhere near secure and trusted systems. I believe the entire "security" and "trusted *.* " movement is nothing more than a mirage: we will FOR SURE never reach it, not even approach it enough. It has the only benefit, that vendors can keep spinning on it forever and ever, from time to time come up with new buzzword and selling newer and newer software and appliances, that leak the same way as 5 or 10 or 15 years ago.

Actually it was just 1-2 year ago, when the entire internet-user community lost even its remaining trust due to all the backdoors and exploits planted into PKI and SSL. Rogue CAs, Snowdens leaks.. At least back in the days, certificates-based systems were believed to be secure (yes, that was all we could do, believe... similarly to religion, as there was no evidence ever that it exsisted..). After all these PKI backdoor program codes come to the public, the entire computer security industry will not be the same ever.

soder said,
Fast forward to 2014, twelve damn years later we are still nowhere near secure and trusted systems. I believe the entire "security" and "trusted *.* " movement is nothing more than a mirage: we will FOR SURE never reach it, not even approach it enough. It has the only benefit, that vendors can keep spinning on it forever and ever, from time to time come up with new buzzword and selling newer and newer software and appliances, that leak the same way as 5 or 10 or 15 years ago.

Actually it was just 1-2 year ago, when the entire internet-user community lost even its remaining trust due to all the backdoors and exploits planted into PKI and SSL. Rogue CAs, Snowdens leaks.. At least back in the days, certificates-based systems were believed to be secure (yes, that was all we could do, believe... similarly to religion, as there was no evidence ever that it exsisted..). After all these PKI backdoor program codes come to the public, the entire computer security industry will not be the same ever.

Could this be because consumers backlashed the last time Microsoft tried to do something "secure" and "trusted" (think NGSCB)?

soder said,
Fast forward to 2014, twelve damn years later we are still nowhere near secure and trusted systems. I believe the entire "security" and "trusted *.* " movement is nothing more than a mirage: we will FOR SURE never reach it, not even approach it enough. It has the only benefit, that vendors can keep spinning on it forever and ever, from time to time come up with new buzzword and selling newer and newer software and appliances, that leak the same way as 5 or 10 or 15 years ago.

Actually it was just 1-2 year ago, when the entire internet-user community lost even its remaining trust due to all the backdoors and exploits planted into PKI and SSL. Rogue CAs, Snowdens leaks.. At least back in the days, certificates-based systems were believed to be secure (yes, that was all we could do, believe... similarly to religion, as there was no evidence ever that it exsisted..). After all these PKI backdoor program codes come to the public, the entire computer security industry will not be the same ever.

Um. What? Systems are wholly more secure (Well, if you're not Apple anyways) than they used to be. Windows 8, out of the box, could stand for months on it's own, compared to XP, which could be compromised just clicking open IE6 (default browser out of the box).

On the whole the Trustworthy Computing initiative was a big plus for us users, but I do bemoan the loss of fun Easter eggs as a result.

Hits to Win2K server and XP prompted their security reset. This is why Server 2003 was not released at the same time as XP. This security reset also contributed to XP SP2 new security focus that added in additional security features, including their application layer firewall.

A lot of technology came from this security restart, from new framework models to automated code testing that is at the heart of WinRT/WP and their Apps.

This wasn't a tiny 'pause', but a massive shift to deal with new type of security issues and attacks. Even Microsoft compiler technology changed to prioritize security. This is why Microsoft compilers rate faster with more secure than Intel's compilers. (Intel can squeeze out a bit more performance at times, but at the cost of security.)

we knew this. if you follow paul thurott, he mentioned this many times back when XP started to get hacked and MSFT began their trustworthy computing initiative.

Travelar said,
I suspect that other companies, such as Adobe, didn't take much away from this.

You realize companies like Adobe still consult with Microsoft for security assistance. When major companies have security issues, they often reach out to Microsoft, including Sony when they had network issues a few years ago with iFrame exploits and help in securing their Novel VMs running on outdated custom Linux distributions.

Microsoft was hit harder with regard to security than any other tech company in history, and continues to define some of the most secure models.

Google even got help from Microsoft in sandboxing Chrome and fixing their broker system.
(Sadly Google became very anti-Microsoft since then and has refused help in securing Android.)

Why yes, I do realize this. I also realize that I spend more cycles patching exploited Adobe and Oracle installations than I do anything else. It was really just an off-the-cuff remark at that sub-par software that these companies continue to present to us and the fact that we continue to gobble them up like they are the greatest thing ever made.

And yes, I realize there are many more pieces of sub-par software, but these bring me the most grief, presently.

Travelar said,
Why yes, I do realize this. I also realize that I spend more cycles patching exploited Adobe and Oracle installations than I do anything else. It was really just an off-the-cuff remark at that sub-par software that these companies continue to present to us and the fact that we continue to gobble them up like they are the greatest thing ever made.

And yes, I realize there are many more pieces of sub-par software, but these bring me the most grief, presently.

All is well then, sorry I took your post too literal with regard to Microsoft.

Adobe and Oracle/Sun have a sad history of trying to retain compatibility at the expense of security. Flash and Java alone would benefit from a new core model, but for this to happen, too much will break and customers will move on to other RIA solutions.

Yet their made-in-house AV is considered one of the worst when it comes to the ability to catch viruses.

firey said,
Yet their made-in-house AV is considered one of the worst when it comes to the ability to catch viruses.

...and people that have no idea what they are talking about, continue to repeat this inaccurate piece of information.

Lookup Forefront and System Center 2012, then lookup how definitions are updated that previously gave MSE/Defender a misleadingly low score.

Mobius Enigma said,

...and people that have no idea what they are talking about, continue to repeat this inaccurate piece of information.

Lookup Forefront and System Center 2012, then lookup how definitions are updated that previously gave MSE/Defender a misleadingly low score.


Thing is what most people also forget is. That MSE does not carry definitions and what not for OS exploits that have been fixed through updates.
Havent checked recent AV reports, but when the hatred vs MSE started (giving it low rankings in AV charts) was on Windows 7 machines with features like UAC and other system security DISABLED (even the FW etc.). Not fully updated and such.
calling it the typical "household computer" excuse.

And ofc MSE will suck major balls on such systems. It's very dependent on the rest of the OS.

spikey_richie said,
It is, just 12 years too late

No, this is not news. This was very widely reported back in 2002. (How else do you think folks like Adobe jumped on the bandwagon at the same time?)

Ideas Man said,
Some of us may know this, but I'd say a large portion of the kiddies here wouldn't know it.

That is true of every event known to mankind that any kiddie has not read up on or studied. But rehashing known history is not considered 'news.'

Steven P. said,
That's why Vista happened folks (true story).
Vista happened because Longhorn had really really ambitious goals that were far from being met (looking at some of the technology preview videos from Longhorn shows some really amazing stuff, even with today's technology). After failing they had to start back from scratch and they put Vista together as quickly as they could while trying to still include some features to make people want to upgrade.

Steven P. said,
That's why Vista happened folks (true story).
No it's not. Windows Vista is the result of wanting to do to much ahead of your time with OEMs that don't care about drivers and system requirements. Also, back in 2002, the operating system they where working on was supposed to become the thing we now know as Windows 7, an interim release, Windows Longhorn, later to become Windows Vista after a code reset, was added later.

Steven P. said,
Well I was joking I was there for the Vista launch event with Jim Allchin

Was he at the NYC one? I remember Gates and Ballmer being there. Thought the sushi bar was a bit over the top, but it was a lot of fun.

Joe User said,

Was he at the NYC one? I remember Gates and Ballmer being there. Thought the sushi bar was a bit over the top, but it was a lot of fun.

No, it was held at Microsoft HQ; they also had a dragster and a band paying music. Very cool.

Studio384 said,
No it's not. Windows Vista is the result of wanting to do to much ahead of your time with OEMs that don't care about drivers and system requirements. Also, back in 2002, the operating system they where working on was supposed to become the thing we now know as Windows 7, an interim release, Windows Longhorn, later to become Windows Vista after a code reset, was added later.

Originally the XP successor codename was Longhorn and it was supposed to be a "minor" release; after that codename Blackcomb/Vienna was planned as a "major" release.
Plans changed and Longhorn became the OS to finally incorporate all the technologies envisioned since the early '90 with "Cairo". When Longhorn was abandoned /"reset" and the development of Vista started, MS also switched to use, as a foundation, Windows Server 2003.

Studio384 said,
No it's not. Windows Vista is the result of wanting to do to much ahead of your time with OEMs that don't care about drivers and system requirements. Also, back in 2002, the operating system they where working on was supposed to become the thing we now know as Windows 7, an interim release, Windows Longhorn, later to become Windows Vista after a code reset, was added later.

Microsoft is partially to blame for that, in a different lawsuit e-mails from Microsoft and Intel reveled Intel pressured MS and they give in to certify one of there low end graphics chipsets which really wasn't powerful enough. MS certified it, and since it was one of the cheaper intel products and it was "certified" a lot of OEM used it.

Studio384 said,
No it's not. Windows Vista is the result of wanting to do to much ahead of your time with OEMs that don't care about drivers and system requirements. Also, back in 2002, the operating system they where working on was supposed to become the thing we now know as Windows 7, an interim release, Windows Longhorn, later to become Windows Vista after a code reset, was added later.

I may be reading your comment the wrong way, but I'd like to point out that Windows 7 is far from being what Vista was supposed to be. It irritates me when I see "Windows 7 is 'Longhorn'" or "Windows 7 is what Vista should have (or would have) been." It's not even close.

Cosmocronos said,

Originally the XP successor codename was Longhorn and it was supposed to be a "minor" release; after that codename Blackcomb/Vienna was planned as a "major" release.
Plans changed and Longhorn became the OS to finally incorporate all the technologies envisioned since the early '90 with "Cairo". When Longhorn was abandoned /"reset" and the development of Vista started, MS also switched to use, as a foundation, Windows Server 2003.

Confusion.
Very early builds of "Longhorn" used Windows XP as a foundation. The majority of pre-reset "Longhorn" builds were built on the Windows Server 2003 codebase.

Rudy said,
Vista happened because Longhorn had really really ambitious goals that were far from being met (looking at some of the technology preview videos from Longhorn shows some really amazing stuff, even with today's technology). After failing they had to start back from scratch and they put Vista together as quickly as they could while trying to still include some features to make people want to upgrade.

Windows Vista is an ambitious operating system itself. The audio, networking, and printing subsystems were redesigned, incorporating features that were slated for "Longhorn" in 2003. Windows Vista even uses the same graphics driver model as "Longhorn".

I dislike the term "start from scratch" when used in reference to Windows Vista. It conveys the thought that the operating system shares no similarities with "Longhorn".

Steven P. said,
That's why Vista happened folks (true story).
Exactly this was old news. If you look at the Beta of the Windows that was to come after XP, it's UI looked exacly like Windows 7. MS postponed this to work on Windows Security. For the first time, a Server version of Windows was released before its workstation counterpart. Windows Server 2003 R2 was the Foundation for Windows Vista.

Why are we talking about this again is what I want to know?!

Ian William said,

Windows Vista is an ambitious operating system itself. The audio, networking, and printing subsystems were redesigned, incorporating features that were slated for "Longhorn" in 2003. Windows Vista even uses the same graphics driver model as "Longhorn".

I dislike the term "start from scratch" when used in reference to Windows Vista. It conveys the thought that the operating system shares no similarities with "Longhorn".

I remember an interview with Jim Allchin that 90% of the Longhorn code was scrapped when they re-started over and made Vista. That's not to say some of the same goals of long horn didn't make it in to Vista.

Longhorn was suppose to have three "pilliars". Avalon (display), WinFS (file system), and Indigo (Making a lot of the OS integrated with web services built in).