Getting a Head Start on App Security

Microsoft product manager Rick Samona preaches the importance of developers being on top of security throughout the entire application design process.

With security on the minds of IT managers more than ever, some companies are addressing the issue even before applications are developed. Microsoft Corp. is delivering technology, advice and best practices to enable developers to write more secure code. In an interview with eWEEK Senior Editor Darryl K. Taft, Rick Samona, product manager of .Net Framework and Developer Tools at the Redmond, Wash., company, discussed some of the things the software giant is doing to assist developers in creating more secure applications.

What does the Microsoft tool set provide developers in terms of security?

Developers require an innovative security architecture and features at both the application platform and programming tool levels. The .Net Framework and Visual Studio.Net provide developers with the necessary tools and information to write secure applications. Managed code and the .Net Framework make writing secure applications easier than ever before and help developers avoid one of the largest types of security breaches—buffer overruns. Furthermore, the .Net Framework contains added features like integrated garbage collection, the ability to do sandboxing, and several libraries such as Strsafe.h for safer string handling in C and Server.HTMLEncode to help prevent cross-site scripting.

Another thing that the Common Language Architecture [CLR, part of the .Net Framework] provides is evidence-based security, including strong names for assemblies. In .Net, all of the core libraries shipped by Microsoft are signed and strongly named.

One area where we are ahead is in the ease of use in implementing WS-Security. WS-Security is a fairly involved family of specifications, and it is not trivial for a developer to properly apply it to a Web services app. With WSE [Web Services Enhancements] 2.0 and Visual Studio 2003, a developer can set up a secure Web service with a few clicks and menu selections through the easy-to-use wizard. In other tool kits this is a complex, error-prone process, involving many lines of hand-authored code.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Finally, Microsoft realizes that writing secure code is more than just about the tools—it is also about people and processes. Therefore, in addition to providing the security features in the tool set as described above, Microsoft is committed to providing organizations with information necessary to ensure relevant processes are in place. More information can be found on Free advice on helping developers to write secure code and be found on

How much attention is typically paid to security at design time and initial stages of development? Does Microsoft plan to offer developers a mechanism to pay more attention to security earlier on in the development process?

Application security must occur throughout the entire design process. Unfortunately, many developers take security into consideration as an afterthought. Microsoft has started releasing information on our own internal best practices and plans to release more in the near future. We here at Microsoft have been in the software industry for quite some time now. Therefore, we believe in helping other organizations learn from both our security successes and challenges.

In many instances additional security means some sort of performance hit. Would this necessarily be the case for apps where security has been part of the design process? How about for apps where extra precautions have been taken to error-proof the code? Does it take longer to build these kinds of apps?

Conventional wisdom says that increased security means decreased performance. In past cases this has been true. For instance, an important security feature, called code access security, has been optional in the Java VM because it caused a performance hit at runtime. However, with the advent of the .Net Framework, we introduced ways to make things like code access security a default feature without causing a significant performance hit. The .Net Framework can do most subscript checking during compilation using optimization algorithms, ensuring the application runs at a high performance level. There is also a preconceived assumption that added security means added lines of code. But we built the .Net Framework to actually reward increased security with fewer lines of code. The .Net Framework also provides several built-in security tools and libraries, such as System.Security.Cryptography, which contains innovative and vigorously tested cryptographic algorithms. Overall, we built the .Net Framework with security in mind; writing secure applications is easier than ever before and uses fewer resources than was previously possible.

A recent study by Gartner ["Security at the Application Level: Are You Ready?" September 2004] points out that the National Institute of Standards and Technology demonstrated in its 2002 study that removing security defects during code and unit tests can reduce the cost impact by an additional factor of between three and 20. Therefore, prioritizing security as a focus during the development phase can reduce stress on both yourself and your bottom line in the long run.

Rather than addressing the design and coding phase, what other things or areas are there to delve into during the development process that could impact application security?

Every organization, small or large, must have a Security Design Lifecycle [SDL] in place to ensure security occurs at all relevant phases, not just at code review. In addition to having an SDL, organizations must provide their developers with the adequate training to write secure applications. A recent Microsoft study showed that 64 percent of developers are not confident in their ability to write secure applications. Developers should be required to attend relevant security training and become certified. Microsoft provides free training on and has two developer security certification courses [70-330 and 70-340] as part of the MCAD and MCSD certifications. We will be further adding to our security training and certification within the next 12 months.

Whats the status of PreFix and PreFast? Are they currently implemented in Microsoft tool sets?

Microsoft scans applications with PreFix and PreFast prior to shipping. We are pleased to say that PreFast will be included in Visual Studio 2005 to scan applications build in C++. Furthermore, the /GS switch used to recompile Windows XP SP2 will be defaulted to "on" to make the process of writing secure code more seamless. In addition to PreFast, FXCop will also be shipped with Visual Studio 2005 to scan managed code. Microsoft is committed to providing the developer community with the tool sets needed to write secure applications.

Who tends to care about this stuff? Any particular markets/industries more than others?

Security should be of utmost priority in all markets and industries. Some industries take added measures to ensure their applications are secure. This includes governments all over the world and ISVs that create mission-critical applications. Microsoft Visual Studio 2003 and the .Net Framework provide the ease and functionality for every developer, from hobbyists and students in academia to Global 100 companies, to write secure applications. If you are not focused on security, chances are one of your competitors is.


Check out eWEEK.coms for the latest security news, reviews and analysis.