Microsoft's Chief Security Officer Bret Arsenault talks shop with Justin James. Hear what he says developers need to do better to make their applications more secure.
A simple fact of life in the IT industry is that, even if you do not use Microsoft products, how secure the company's products are will most likely end up impacting your work one way or the other.
A few years ago, Microsoft began releasing its Security Intelligence Report (SIR) in order to provide an accurate assessment of the latest threats to its products. Each report covers a six-month period. In early December 2008, I had the chance to speak with Bret Arsenault, Microsoft's Chief Security Officer, about the SIR: Volume 5 (January 2008 - June 2008).
I find this issue of the SIR interesting for two reasons. First, for a full year's worth of reporting periods, the number of reported High vulnerabilities has decreased. The second data point that interests me is the fact that more than 90% of HTML-borne threats affecting Windows Vista actually target third-party products — not Microsoft products. Bret said that this shift makes a lot of sense, and I tend to agree with him. Windows Vista's security is not perfect, but it is now hardened to the point that the OS is no longer the lowest hanging fruit on the tree. In addition, as he pointed out, the data that the bad guys really want tends to be locked up inside the application now and not the OS.
Bret and I talked in-depth about what developers need to do better to make their applications more secure. He said the security holes developers are seeing are the same ones that we have been seeing for years: buffer overruns, data hardcoded into the applications, and many other bad practices.
At a technical level, applications are still not modular enough; in addition, many applications do not perform automatic updates. I asked Bret about the possibility of allowing third-party developers to participate in the Microsoft Update program, and he said it is not currently being discussed as an option.
What developers need now are the same remedies that have been recommended for quite some time. It is a matter of educating developers and helping them to become more rigorous in their practices. He said that developers need to be retrained and suggested that they should all learn about the SDL process and security, preferably as part of the training program for new developers (in other words, baked into a Computer Science or IS/IT degree program). He and I agree that it takes weeks, if not months, to give developers a good background in secure development techniques and that a couple of lunch 'n learn training sessions or a few hours with a consultant is not sufficient.
Another large part of the problem is that developers are extremely pressed for time. They often learn new things in the trenches and, as a result, do not realize the security implications of the way they are writing code. On that note, he pointed me to Microsoft's new site for providing security information to developers: HelloSecureWorld. He also mentioned that users are still on the hook too; there is nothing any developer can do in the face of a user who clicks "Yes" to everything. In addition, he reminded me about the Microsoft Security Assessment Tool (MSAT) and the User Awareness and Education Toolkit, which systems administrators can use to evaluate their security situation and teach users about safe computing.
I know the situation that Microsoft faces is pretty challenging. The company has so many conflicting requirements, such as maintaining backwards compatibility while making the security tighter. At the same time, it is good to see Microsoft taking the situation seriously and finally seeing some positive results — even if it has taken so long to get some relief.
Thanks again to Bret for speaking with me. I really enjoyed our conversation.
Also, be sure to read Chad Perrin's post about the 25 most dangerous programming errors, which is a list that has been compiled by security experts from all over the world.
J.JaDisclosure of Justin's industry affiliations: Justin James has a working arrangement with Microsoft to write an article for MSDN Magazine. He also has a contract with Spiceworks to write product buying guides.
———————————————————————————————————————————————————————-Get weekly development tips in your inbox Keep your developer skills sharp by signing up for TechRepublic's free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!