Security Firms Scrutinize .Net Code | eWeek

Security Firms Scrutinize .Net Code

Écrit par
Dennis Fisher
Dennis Fisher
Nov 26, 2001
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

As part of its ongoing effort to repair its reputation for poor security, Microsoft Corp. for the past year has taken the extraordinary step of subjecting the code of its .Net framework to an intensive review by two outside security firms.

The review, conducted by Foundstone Inc. and Core Security Technologies, included a study of all of the platforms inherent security capabilities, such as code-access security, role-based and evidence-based security and the use of cryptography. The companies approached the review from three distinct perspectives: that of the user, the application developer and the systems administrator.

Overall, the companies were pleased with what Microsoft has done.

“The software gives developers and administrators a great deal of granular access control,” said Joel Scambray, managing principal at Foundstone, based in Irvine, Calif.

“We wanted to help eliminate common mistakes and vulnerabilities that we see in a lot of software. If its implemented properly, things like buffer overflows arent possible in the .Net framework.”

Engaging an outside firm to assess the security of the software on which Microsoft is pinning its hopes for future success is a major step for the Redmond, Wash., company. Microsoft has traditionally played its cards close to the vest on the subject of security and has handled the majority of such efforts internally.

But recent incidents such the various Code Red worms, the Nimda worm and other security embarrassments have caused the company to reassess its processes and consider other options, Microsoft officials said.

Microsoft originally brought Foundstone in before the first beta release of .Net as part of its Secure Windows Initiative. Over the course of the last year, Foundstone consultants spent more than 2,800 hours testing the .Net code and some of its initial reference applications.

The consultants also wrote some of their own application modules and then ran penetration tests against them, with varying degrees of success, Scambray said.

“Our initial view was that it was much more difficult to circumvent than the typical Web application because the security plumbing is built in,” Scambray said.

He added that the .Net frameworks policies are more secure by default than previous Microsoft platforms. “Compared to other managed-code architectures, like Java 2, .Net is quite secure,” he said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.