Security Firms Scrutinize .Net Code

As part of its ongoing effort to repair its reputation for poor security, Microsoft Corp. for the past year has taken the extraordinary step of subjecting the code of its .Net framework to an intensive review by two outside security firms.

The review, conducted by Foundstone Inc. and Core Security Technologies, included a study of all of the platforms inherent security capabilities, such as code-access security, role-based and evidence-based security and the use of cryptography. The companies approached the review from three distinct perspectives: that of the user, the application developer and the systems administrator.

Overall, the companies were pleased with what Microsoft has done.

“The software gives developers and administrators a great deal of granular access control,” said Joel Scambray, managing principal at Foundstone, based in Irvine, Calif.

“We wanted to help eliminate common mistakes and vulnerabilities that we see in a lot of software. If its implemented properly, things like buffer overflows arent possible in the .Net framework.”

Engaging an outside firm to assess the security of the software on which Microsoft is pinning its hopes for future success is a major step for the Redmond, Wash., company. Microsoft has traditionally played its cards close to the vest on the subject of security and has handled the majority of such efforts internally.

But recent incidents such the various Code Red worms, the Nimda worm and other security embarrassments have caused the company to reassess its processes and consider other options, Microsoft officials said.

Microsoft originally brought Foundstone in before the first beta release of .Net as part of its Secure Windows Initiative. Over the course of the last year, Foundstone consultants spent more than 2,800 hours testing the .Net code and some of its initial reference applications.

The consultants also wrote some of their own application modules and then ran penetration tests against them, with varying degrees of success, Scambray said.

“Our initial view was that it was much more difficult to circumvent than the typical Web application because the security plumbing is built in,” Scambray said.

He added that the .Net frameworks policies are more secure by default than previous Microsoft platforms. “Compared to other managed-code architectures, like Java 2, .Net is quite secure,” he said.