Tips to make your apps more secure
Friday, February 06, 2009 11:39 AM
Find out what Microsoft's security chief says, developers need to do better to make their applications more secure.
A simple fact of life in the IT industry is that, even if you do not use Microsoft products, how secure the company's products are will most likely end up impacting your work one way or the other.
A few years ago, Microsoft began releasing its Security Intelligence Report (SIR) in order to provide an accurate assessment of the latest threats to its products. Each report covers a six-month period.
In early December 2008, I had the chance to speak with Bret Arsenault, Microsoft's chief security officer, about the SIR: Volume 5 (January 2008 - June 2008).
I find this issue of the SIR interesting for two reasons. First, for a full year's worth of reporting periods, the number of reported "high" vulnerabilities has decreased. The second data point that interests me is the fact that more than 90 percent of HTML-borne threats affecting Windows Vista actually target third-party products--not Microsoft products.
Arsenault said that this shift makes a lot of sense, and I tend to agree with him. Windows Vista's security is not perfect, but it is now hardened to the point that the OS is no longer the lowest hanging fruit on the tree. In addition, as he pointed out, the data that the bad guys really want tends to be locked up inside the application now and not the OS.
He and I talked in-depth about what developers need to do better to make their applications more secure. He said the security holes developers are seeing are the same ones that we have been seeing for years: buffer overruns, data hardcoded into the applications, and many other bad practices.
At a technical level, applications are still not modular enough; in addition, many applications do not perform automatic updates. I asked Arsenault about the possibility of allowing third-party developers to participate in the Microsoft Update program, and he said it is not currently being discussed as an option.
What developers need now are the same remedies that have been recommended for quite some time. It is a matter of educating developers and helping them to become more rigorous in their practices. He said that developers need to be retrained and suggested that they should all learn about the SDL process and security, preferably as part of the training program for new developers (in other words, baked into a Computer Science or IS/IT degree program).
He and I agreed that it takes weeks, if not months, to give developers a good background in secure development techniques and that a couple of lunch-and-learn training sessions or a few hours with a consultant is not sufficient.
Another large part of the problem is that developers are extremely pressed for time. They often learn new things in the trenches and, as a result, do not realize the security implications of the way they are writing code. On that note, he pointed me to Microsoft's new site for providing security information to developers: HelloSecureWorld.
He also mentioned that users are still on the hook too; there is nothing any developer can do in the face of a user who clicks "Yes" to everything. In addition, he reminded me about the Microsoft Security Assessment Tool (MSAT) and the User Awareness and Education Toolkit, which systems administrators can use to evaluate their security situation and teach users about safe computing.
I know the situation that Microsoft faces is pretty challenging. The company has so many conflicting requirements, such as maintaining backwards compatibility while making the security tighter. At the same time, it is good to see Microsoft taking the situation seriously and finally seeing some positive results--even if it has taken so long to get some relief.
Justin James is an employee of Levit & James, Inc. in a multidisciplinary role that combines programming, network management, and systems administration. He has been blogging at TechRepublic since 2005.
There are currently no comments for this post.