20 Years After Bill Gates’ Trustworthy Computing Memo, Cybersecurity Issues Are An Even Harder Problem

March 14, 2022

Filip Verloy Technical Evangelist EMEA

Post Featured Image

On May 26, 1995, Bill Gates famously wrote his “Internet Tidal Wave” memo to Microsoft’s executive staff and all his direct reports, in it he admitted to changing his stance on the virtues of the Internet and that he was now assigning it the highest level of importance for his company. In August of that year, Microsoft released their first version of Internet Explorer through an add-on package (Plus!) for Windows 95. The rest as they say is history.

Another famous Bill Gates memo came forth after he spent a weekend reading the book “Writing Secure Code”, the then 477 page manuscript by Michael Howard and David LeBlanc, themselves Microsoft security engineering leaders, warned about the perils of cybersecurity issues arising from bad coding hygiene. The result was a memo published on January 15, 2002 called “Trustworthy Computing” wherein Bill Gates mandated Microsoft should prioritize security over adding new features to their software. “Eventually” Gates wrote, “our software should be so fundamentally secure that customers never even worry about it.”

Now some 20 years later, the book has drastically increased in size and remains as relevant as ever, cybersecurity issues remain front and center and have made their way into the general public’s awareness with stories about Ransomware attacks disrupting critical infrastructures like transportation, energy, and healthcare, supply chain attacks eroding trust across the industry, and a marked increase in cybersecurity incidents impacting remote workers, resulting in disruptions into everyday life. 

So we have to stay ever vigilant and more holistically look at the problem by both “shifting-left”, moving security sooner in the development process (Bill came to the right conclusion there), and also realizing we have increased the attack surface by creating more and more integrated systems connected with APIs. Whilst application “front ends” are most often the focus of security controls and testing, the connective APIs can be the most vulnerable components and are rarely adequately monitored and equipped with automated threat detection and response controls. 

API Security Testing 

One way to alleviate cybersecurity issues is to help developers and vendors to enable API-specific security testing using a DevSecOps workflow style that can identify API security defects prior to deployment - where they can be more cost-effectively remediated. At Noname Security we call this Active Testing. The goal is to increase security proficiency not by getting in the way of developers and slowing down innovation, but by completely automating testing across the full API development lifecycle. 

The result is relevant (including the OWASP API Top Ten) and exhaustive testing during the API development lifecycle, using integrations into your existing CI/CD pipelines and processes. This enables continuous innovation with higher confidence in your APIs before they move into production environments.