On March 31, Bill Gates released an item in Microsoft's continuing Executive E-mail program entitled Microsoft Progress Report: Security. It makes fascinating reading in and of itself, but it also foretells some interesting futures for the VS.NET development environment as well.
One interesting outgrowth of Microsoft's so-called Trustworthy Computing Initiative is that the company has had to confront its sometimes checkered past, particularly in the form of long-used code modules wherein new vulnerabilities may be discovered (the ASN.1 code, scattered all over Microsoft platforms and applications is a stunning case in point). Likewise, vulnerabilities may lurk in older code that, despite being unused, also still harbor potential points of attack.
An astute reader of Gates' report will notice that the company is turning over and rebuilding its code bases to remove vulnerabilities related to compiler or run-time system designs that may have been insufficiently sensitive to buffer overflow attacks when handling input. But what is of most interest to those concerned about current security shortcomings in Visual Studio and related languages or those wondering about planned security enhancements in future releases comes in two parts of the Gates report:
- In the section on "Authentication and Access Control" Gates gets into planned password policy strengthening and checking, support for smart cards and biometric devices to enhance multifactor authentication in Windows, plus more widespread use of PKI and digital certificates and IP Security (IPSec) protocols. It seems inevitable, therefore, that these things must surface in more places in VS.NET and be made more usable, to encourage developers to up their security antes as well.
- In commenting on improvements to code quality and security capabilities, Gates says: "…we use code-checking tools that automatically search for classes of bugs that can lead to security vulnerabilities, program crashes and hangs. We have committed to making these engineering advances available to other software developers through training and tools, including the next release of Visual Studio." This means these tools should surface some time in the next 12-18 months as the next iteration of VS.NET makes its way through beta into commercial release.
Beyond the improvements in code stability that should result from avoiding crashes and hangs, automated assistance in avoiding security vulnerabilities should be a boon to harried programmers who may be worried about delivering needed functionality, rather than keeping one eye on functions and the other on security. Especially for organizations that build custom applications where security invariably comes as an afterthought, this could be a huge blessing for future services and applications built around the Visual Studio environment.
Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT certification and information security topics. E-mail Ed with comments, questions or suggested topics or tools to review.
Do you have comments on this tip? Let us know.