Before his career as a philanthropist, Bill Gates was the founder and head of Microsoft who became as famous for his relentless pursuit of growth as he had for inventing the commercial software market with MS-DOS. By 2001, Microsoft Windows-powered over 97% of computers. Internet Explorer 6 was winning the browser wars, and the pre-iPhone smartphone and PDA market was Windows Mobile’s to lose.
Things were, in short, good for the company. Gates had achieved this powerful position through aggressive technical and business moves that reflected his primary goal of growing Microsoft’s dominance, even if that meant some compromises along the way.
In 2002, however, the company had hit a wall. The blue screen of death marking Windows crashes had long been ridiculed in memes (though memes were different then too), and malware was running so rampant that competitors could easily differentiate themselves based on security (as well as performance, privacy, and other factors).
In January 2002, Bill Gates sent out a company-wide memo explaining security was now everybody’s first priority. In it, he pulled a u-turn on company policy that had previously prioritized features over security and privacy:
In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.
So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email-borne viruses. If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
A lot has changed in the nearly 20 years since Gates’ memo. Who knows what might be happening in alternate timelines where Microsoft never prioritized security, or maybe did so earlier. In this timeline, Windows’ security reputation was mocked in a number of the Mac vs. PC ads produced throughout the 2000s, and one might wonder if a less dominant company than Microsoft could have survived at all.
A revolution in waiting
The principles Gates outlined in his memo—that code needs to be written to be secure, not just secured after its written—foreshadowed the principles of the devops revolution that followed shortly after: software needs to be engineered for reliable operations, not made operable after it was written.
The devops revolution is still in progress, but collaboration between developers and operators to ensure the reliable continuous delivery of their code is now common, and it’s almost tautological in any fast-growing company.
Security, however, remains problematic, even as threats to our code grow in both number and significance. The day Microsoft prioritized security, they also prioritized customer trust, an increasingly important factor in the growth of any technology. Gates’ emphasis on security and privacy as a first principle responsibility for developers at the start of the engineering process is worth considering again now. In a world where every company is a software company, it’s increasingly true that every company needs to be a security company as well.