Developing Tighter Applications
"The primary goal of the Sony Professional Services application was to enable sales via the Internet in a very secure mannereducating the B2B customer on Sony products and reducing the number of phone-in orders to their call center," Swift said. "Security became an immediate focus due to a number of factorstheir B2B customers and security policy dictate authentication must be driven through an existing LDAP directory. However, non-B2B customers that can also use the site can be authenticated differently." Swift said Brierley delved into other security areas for this solution and for other work it has done for Sony, including recommending physical security of the data center and audits; encrypting data sent via files; securing XML Web services via SSL (Secure Sockets Layer) digital signatures; X.509 certificate-based authentication and so on; securing customer-service-type applications using role-based security; and implementing technologies such as network security, dual firewalls and IP restrictions.Rick Samona, product manager for .Net Framework and Developer Tools at Microsoft, in Redmond, Wash., said the companys new tools help developers add security at the development stage. "Developers require an innovative security architecture and features at both the application-platform and programming-tool level," said Samona. "The .Net Framework and Visual Studio .Net provide developers with the necessary tools and information to write secure applications. Managed code and the .Net Framework make writing secure applications easier and help developers avoid one of the largest types of security breaches: buffer overruns." "Furthermore," said Samona, "the .Net Framework contains added features like integrated garbage collection, the ability to do sandboxing, and several libraries such as Strsafe.h for safer string handling in C and Server.HTMLEncode to help prevent cross-site scripting. Another thing that the Common Language Architecture [CLR is part of the .Net Framework] provides is evidence-based security, including strong names for assemblies. In .Net, all the core libraries shipped by Microsoft are signed and strongly named." In addition, Samona said Microsofts lead in securing Web services attracts developers. "One area where we are ahead is in the ease of use in implementing WS-Security," Samona said. "WS-Security is a fairly involved family of specifications, and it is not trivial for a developer to properly apply it to a Web services app. With WSE (Web Services Enhancements) 2.0 and Visual Studio 2003, a developer can set up a secure Web service with a few clicks and menu selections through the wizard. In other tool kits, this is a complex, error-prone process, involving many lines of hand-authored code." Next Page: High Expectations
Meanwhile, .Net Framework and Visual Studio have technology that enables developers to create more secure applications.