Two weeks ago
in
this space, I featured a question-and-answer session with security expert
Dinis Cruz. His concern: That .NET development vendors and programmers alike
are failing to employ sandboxing techniques to ensure that applications remain
secure.
Redmond Developer News plans to cover this and other development security-related
issues in an upcoming issue of RDN. But we wanted to hear from you first.
What security issues concern you most when developing applications? Do you feel
that tool vendors are providing the resources you need to create software that's
fundamentally secure? And do you feel that sandboxing, as an approach to enabling
security, has been widely overlooked by the industry?
E-mail us with you thoughts or experiences at [email protected].
Posted by Michael Desmond on 11/07/20070 comments
Visual Studio is adding another native programming language in the form of
F#, a typed functional programming language originally developed by Microsoft
Research in Cambridge, England.
When Soma Somasegar revealed Microsoft's F# plans on
his blog, it signaled an important step forward for Redmond. As corporate
VP of the Developer Division at Microsoft, Somasegar has been keen on the benefits
of functional programming, which promises to free coders to tap the power of
advanced, multi-core processors and expansive grid computing networks.
With the introduction of F#, developers will gain access to a functional programming
language in Visual Studio that's fully compatible with the .NET object model
and libraries, and plays well with other .NET languages and resources like WPF
and DirectX.
"This is one of the best things that has happened at Microsoft ever since
we created Microsoft Research over 15 years ago," Somasegar wrtes in his
blog entry. "We will be partnering with Don Syme and others in Microsoft
Research to fully integrate the F# language into Visual Studio and continue
innovating and evolving F#."
In his own
blog, Microsoft researcher Syme writes:
Looking ahead, we'll be initially focused on putting the finishing touches
on "V1" of the language design, improving the compiler, tools and
Visual Studio project system, completing the language specification and augmenting
F# with the libraries and tools needed to make it truly powerful in application
areas particularly suited to functional programming.
This is exciting stuff, frankly, even if it won't immediately change the day-to-day
jobs of most .NET developers. With F#, Microsoft is setting the direction toward
the future of programming, one defined by multi-core processors, grid-enabled
applications and intelligent abstraction. During an earlier
interview, Microsoft Fellow Anders Hejlsberg gave us an idea of what he
expected down the road:
There was once a hope you could just type "/parallel" in your
compiler and it could take advantage of multiple processors. Well no, unfortunately
that's not panning out. You need to write your program in a different way
that is more amenable to execution by smarter infrastructure. And declarative
programming and functional programming are probably the best candidates today
for really taking advantage of all of that multi-core power we are getting.
What do you think of the addition of F#? And what new languages or other changes
would you like to see Microsoft add to .NET and Visual Studio? E-mail me at
[email protected].
Posted by Michael Desmond on 10/31/20074 comments
Microsoft just launched a new Web site aimed directly at software QA and testing
professionals. Called
Tester
Center, the new site aims to bring testers together to share experiences
and best practices, get advice and access useful content.
The site is headed up by James Whitaker, an early innovator in the area of
model-based testing and currently a Microsoft security architect working in
the Trustworthy Computing Initiative at Redmond.
If you're involved with software testing at your organization, the Tester Center
might be worth a bookmark. Have you had a chance to check the new site out?
Let me know your thoughts at [email protected].
Posted by Michael Desmond on 10/24/20070 comments
The deadline for submitting entries to the
RDN Innovator Awards has
been extended two weeks to Nov. 15. The program recognizes outstanding efforts
in development, with a focus on shops aligned with Microsoft Windows and the
.NET stack. Entries are accepted across a range of independent categories.
Do you have a software development project that's worthy of recognition? Download
the RDN Innovator Awards entry form here.
Also check out the ADT
Innovator Awards. Now in its 13th consecutive year, the ADT Innovator
Awards program recognizes outstanding development on non-Microsoft platforms.
The deadline for both is Nov 15. Sign up now!
Posted by Michael Desmond on 10/24/20070 comments
Dinis Cruz spends a lot of time worrying about .NET security. The well-known
security consultant and trainer is chief security evangelist of the
Open
Web Application Security Project (OWASP), which aims to improve software
security.
RDN contributor John Waters caught up with Cruz at a recent industry
event. You can read more about this in the Nov. 15 issue of Redmond Developer
News magazine.
RDN: In a nutshell, what's your biggest security concern?
Cruz: We're not putting enough resources and investment into sandboxing
technology. The consequence is that developers aren't taking sandboxing seriously
anymore.
In ASP.NET, the "sandbox" is called Code Access Security.
Yes, both .NET and Java allow for the creation of a sandbox, which can be enabled
and disabled. The problem is, everyone disables it. I think that about 99 percent
of the code out there runs with Full Trust with no sandbox -- and I think I'm
being generous with that 1 percent.
Your favorite conference demo seems to be something you call "rooting
the CLR." What is that?
This is one way to expose the dangers of Full Trust ASP.NET code. I show how,
with Full Trust, I can load some .NET code and change the framework behavior.
If this is such a problem, why aren't Microsoft and Sun doing something
about it?
I've argued with Microsoft quite a lot about this, and they always listen and
they usually agree with me. But their clients aren't demanding it, and the developers
don't like putting in all the extra work that it takes to safely contain malicious
code, or benign code that could be executed in a malicious way. So, not much
gets done.
I've read that you're interested in getting developers to go beyond their
comfort zone when it comes to security. Is this a developer problem?
I don't believe that it's the fault of the developer. I think they're too often
used as the scapegoats in all this. Remember that they are paid for features
and speed, not security. In fact, it doesn't make business sense to write secure
code today. Unless it's something really obvious, the users can't evaluate the
security of an application. If you're really on the firing line, as many of
Microsoft's products are, then you do a bit of work on that. But in most cases,
if the attackers aren't exploiting it, the companies don't feel the need to
code securely.
Cruz is deeply concerned that dev shops aren't doing more to isolate their
code. Does he have a point? What would it take for your company to make secure
code a higher priority, and what issues have you run into when trying to improve
code security? E-mail me at [email protected].
Posted by Michael Desmond on 10/24/20070 comments
According to a recent Forrester Research survey, 28 percent of enterprises
with 500 or more employees have some form of social networking initiative, while
20 percent are considering it. Behind these figures: the runaway popularity
of social networking services like MySpace, Facebook and LinkedIn. The buzz
around these sites jumped recently, after Facebook announced it would open its
APIs to developers.
What's at stake here? Potentially, a lot. Facebook has a huge and growing audience
that includes a rapidly expanding business clientele. Apps linked into the Facebook
platform using its APIs can be immediately accessed and leveraged by Facebook
users, removing much of the friction in delivering services across organizations.
RDN Executive Editor Jeffrey Schwartz caught up with Burton Group Principal
Analyst Mike Gotta. According to Gotta, major platform players like Microsoft,
IBM and BEA are well aware of Facebook's appeal and are working to provide social
networking systems. He says the key issue retarding Facebook adoption (compared
to maturing software like IBM Lotus Connections and BEA AquaLogic Pages) is
the lack of robust policy management for managing roles, security and workflow.
From a developer perspective, Gotta warns dev managers to carefully consider
issues related to information gathering and dissemination. He also notes another
challenge when it comes to developing social networking applications.
"Designing social applications is different than designing business applications,"
Gotta said. "It's not like you're processing a transaction or the typical
CRM, ERP or line-of-business application."
Is your company looking to deploy a social networking platform as a way to
link individuals and streamline information flow? E-mail me at [email protected].
Posted by Michael Desmond on 10/17/20070 comments
Fortify Software is one of the leading providers of application security solutions
for development shops. So when its researchers came across a new type of vulnerability
that affects the application build process used in open source software projects,
it got my attention.
According to Fortify, cross-build injection exploits "allow a hacker to
insert code into the target program while it is being constructed." Discovered
by Fortify while working with the Java Open Review Project, cross-build injection
attacks represent a shift by hackers, from now-fortified OSes and applications
toward the less well-protected application development stack.
Open source projects, which are typically widely distributed and employ automated
compilation and other routines, offer an attractive target for cross-site injection.
According to the Fortify announcement:
"Once an attacker compromises either the server that hosts a component
or the DNS server that the build machine uses to locate that server, the attacker
can leverage these vulnerabilities to take full control of the build machine
and possibly other machines on the remote network."
I had a chance to pose some questions to Brian Chess, co-founder and chief
scientist at Fortify. Here's what he had to say:
How serious is the threat posed by cross-built injection? Now that we're
seeing it, can we expect to see more efforts to bring this attack to dev shops?
Once an organization has licked problems like buffer overflow and SQL injection,
this might just be the easiest way for an attacker to slip code into the company.
We expect that the attack will grow in popularity at the same rate that automatic
dependency management systems grow in popularity. More targets equal more attacks.
Are there things dev shops can do, outside of the Fortify offerings,
to defend or blunt these types of attacks? What kinds of changes to practices
and infrastructure might be called for?
The first and simplest is to refrain from adopting automated dependency
management systems altogether. Managing dependencies manually eliminates the
potential for unexpected behavior caused by the build system.
The second is a hybrid of the traditional manual dependency management approach
and the fully automated solution that is popular today: Run your own internal
dependency server. The biggest advantage of the manual build process is the
decreased window of attack, which can be achieved in a semi-automated system
by replicating external dependency servers internally.
The third builds on the second: Introduce a system for vetting any open source
code that is introduced into the build. This is the only way to make sure the
code is acceptable.
Does this type of attack represent an escalation of threat as attackers
move up the pipeline seeking vulnerabilities? Any thoughts on what might be
next?
Absolutely. There's a thin line between virtue and vice. The more we automate,
the more we leave room for abuse. We are open to attack anywhere people place
trust without understanding what they are trusting. In particular, we expect
to see more vulnerabilities in mobile devices and embedded systems.
You can read a white paper on the cross-build injection vulnerability here
(PDF).
What development-stage security issues are most concerning to you? E-mail me
at [email protected].
Posted by Michael Desmond on 10/17/20070 comments
We've spent a lot of time and ink covering Microsoft's Silverlight technology,
and for good reason. Initially regarded as a simple Flash competitor for delivering
rich media over the Web, Silverlight quickly emerged as a full-fledged application
delivery platform. And, as seems to be the case with all successful Microsoft
offerings, Silverlight is an amazing lesson in leverage. To wit: It enables
millions of .NET-savvy developers to write and package applications for use
across platforms and across the Web, via the Silverlight player.
Not that Adobe Inc. is going to take all this sitting down. The company that
brought us Flash and basically established the rich Internet application (RIA)
shtick isn't done innovating in this market. The Adobe Integrated Runtime (AIR)
platform, currently in beta and expected to launch in Q1 of 2008, is attracting
a lot of developer attention. Playing against a loyal audience of Flash developers
and bolstered by the maturing Flex 3 development environment, AIR has the look
of a capable RIA platform.
Perhaps most significant is the work Adobe is doing to win over developers.
As Dana Gardner notes in his
blog, the new Flex beta supports ASP.NET and enables programmers to create
applications from a SQL database using wizards. The availability of embedded
local databases is also a key advantage, since it should enable AIR applications
to behave in a much more desktop-like fashion than browser-bound Silverlight
apps.
At the Adobe MAX show last week, the company trundled out a host of brand-name
companies that are rolling out AIR, including SAP and Business Objects.
Just don't sleep on Silverlight. Our senior editor Kate Richards was at the
ReMIX event in Boston yesterday and she says developers there were very excited
about Microsoft's RIA platform. Her take: Dev shops find Silverlight to be very
manageable -- a far cry from their experience working with the Windows Presentation
Foundation native to .NET Framework 3.0.
Is your shop looking at Adobe AIR? If so, we'd like to hear from you. What
are your thoughts on Adobe's RIA platform and how does it stack up compared
to Silverlight? E-mail me at [email protected].
Posted by Michael Desmond on 10/10/20071 comments
Steve Ballmer may have been showing his age last week, when he called out the
Facebook social networking site as a "fad" and questioned the value
of the technology used to make it go.
"I think these things [social networks] are going to have some legs, and
yet there's a faddishness, a faddish nature about anything that basically appeals
to younger people," Ballmer was quoted as saying in an Oct. 2 article in
the Times Online. You can read the full article here.
Reading this, I can almost picture Ballmer out on his porch, in boxer shorts
and black socks, yelling at a bunch of neighborhood kids to get off his lawn.
One of those kids might be Rodney Rumford. He's president of a technology and
strategy firm that focuses on Facebook application development.
"What he doesn't understand is Facebook literally changes the way people
communicate," Rumford said. "It provides increased efficiency in discovering
information and sharing information, and information finds me...Facebook is
a social networking site. But if you float up 10,000 feet, it's really a communication
platform."
What's more, Rumford thinks that communication platform is going to have a
broad impact on programmers -- a very broad impact. "Every developer needs
to know HTML, correct? I think in five years, every developer is going to have
to know [Facebook Markup Language] on a basic level," Rumford said.
Is Ballmer getting crotchety or is Rumford just getting way ahead of himself?
You tell me. Is there a role for a Facebook-type platform in corporate development
and, if so, what might we expect from it? E-mail me at [email protected].
Posted by Michael Desmond on 10/08/20070 comments
Frequent
RDN contributor Mary Jo Foley has the goods on yet another
high-profile defection from Microsoft's Live business unit. This time, the departee
is Danny Thorpe, formerly a senior program manager and architect in the Windows
Live Platform group. Thorpe is leaving to work with a startup called
Cooliris.
You can read Foley's blog posting
here.
As Foley recounts, Thorpe originally came to Microsoft in April 2006 by way
of Borland and Google and was one of the key minds behind the Borland Delphi
programming language. You can read Danny Thorpe's blog account here.
Thorpe's defection comes hot on the heels of a couple of other Live leavings.
Live Search's Erik Selberg left Microsoft for Amazon.com about a week and a
half ago (here's
Erik's blog post on his decision). A couple of days later, Windows Live's Bubba
Murarka let fly the news that he was leaving Microsoft to launch his own business.
Microsoft's Windows Live effort is hardly on the verge of collapse. But these
kinds of defections are interesting, given how quiet the company has been about
the evolution of Live as a development platform, which at one time was rumored
to be on track for the end of last year. What do you think? E-mail me at [email protected].
Posted by Michael Desmond on 10/08/20070 comments
Six months ago or so, I
interviewed
Microsoft security expert Mike Howard about the challenge his company faced
as it worked to make the development of fundamentally secure software a core
mission of every project. Known as Security Development Lifecycle (SDL), the
effort took years to complete, and ultimately resulted in the release of much
more secure code.
One complaint Howard voiced in that interview was the lack of security-related
awareness and training among entry-level programmers arriving at Microsoft.
He specifically pointed a finger at undergraduate institutions, which he said
were producing programmers who didn't have to consider code vulnerabilities
during their formal education. As a result, Microsoft now sends new arrivals
to a weeks-long security training program, just to get them up to speed. In
a sense, Microsoft is doing the work that schools should've accomplished.
We've heard other complaints, as well, about college-level programs.
Our senior editor, Kathleen Richards, is working on an upcoming feature about
computer science education in colleges and graduate schools, and how it's changing
(or not changing) to meet modern challenges. We want to hear from you. If you're
hiring newly graduated programmers, what are you noticing?
And as a development manager, if you could send a message to the people who
run the computer science curricula at major schools, what would you want to
say to them? Now is your chance. E-mail me at [email protected].
Posted by Michael Desmond on 10/03/20070 comments
Facebook is fast transforming from its roots as a social networking site for
college students into a full-fledged development platform that has drawn Microsoft's
interest. Certainly, there's keen and growing interest in extending the benefits
of Facebook's community network model into the professional sphere.
Is your company's CEO beating down IT's door, asking for Facebook or something
like it? Or do you think Facebook and platforms like it are a passing fad, as
Steve Ballmer recently suggested? E-mail me at [email protected].
Posted by Michael Desmond on 10/03/20072 comments