Security is perhaps the final frontier for developers as they build applications for the modern enterprise. But with its newest development platforms, Microsoft Corp. said it is enabling developers to address security early in the design and development process.
The Redmond, Wash., company will put new security features into Visual Studio 2005. PreFast, for example, is a static code analysis tool for the Visual Studio Team System, expected to be available next year, officials said. Microsoft uses the technology in developing applications it sells commercially.
Other new tools include PreFix, for defect detection, and FXCop, a code analysis tool that checks .Net-managed code assemblies for conformance to Microsofts .Net Framework design guidelines.
“Microsoft scans applications with PreFix and PreFast prior to shipping,” said Rick Samona, product manager for .Net Framework and Developer Tools at Microsoft. “PreFast will be included in Visual Studio 2005 to scan applications built in C++. The /GS switch used to recompile Windows XP SP2 will be defaulted to on to make writing secure code more seamless. In addition to PreFast, FXCop will also be shipped with Visual Studio 2005 to scan managed code.”
In announcing its Visual Studio Team System vision in May, Microsoft said it will deliver tools to enable developers to more broadly cover the application life cycle, including tools that address design, coding, issue tracking, source code control, load testing and other testing.
“The .Net Framework and Visual Studio .Net provide developers with the necessary tools and information to write secure applications. Managed code and the .Net Framework make writing secure applications easier … and help developers avoid one of the largest types of security breaches—buffer overruns,” Samona said.
Samona said security must be addressed in all phases of development.
“Every organization, small or large, must have an SDL (Security Design Lifecycle) in place to ensure security occurs at all relevant phases, not just at code review,” Samona said. “In addition to having an SDL, organizations must provide their developers with the adequate training to write secure applications. A recent Microsoft study showed that 64 percent of developers are not confident in their ability to write secure applications. Developers should be required to attend relevant security training and become certified.”