Security Concerns

Two weeks ago in this space, I featured a question-and-answer session with security expert Dinis Cruz. His concern: That .NET development vendors and programmers alike are failing to employ sandboxing techniques to ensure that applications remain secure.

Redmond Developer News plans to cover this and other development security-related issues in an upcoming issue of RDN. But we wanted to hear from you first. What security issues concern you most when developing applications? Do you feel that tool vendors are providing the resources you need to create software that's fundamentally secure? And do you feel that sandboxing, as an approach to enabling security, has been widely overlooked by the industry?

E-mail us with you thoughts or experiences at [email protected].

Posted by Michael Desmond on 11/07/2007 at 1:15 PM0 comments

Microsoft Looks Sharp with F#

Visual Studio is adding another native programming language in the form of F#, a typed functional programming language originally developed by Microsoft Research in Cambridge, England.

When Soma Somasegar revealed Microsoft's F# plans on his blog, it signaled an important step forward for Redmond. As corporate VP of the Developer Division at Microsoft, Somasegar has been keen on the benefits of functional programming, which promises to free coders to tap the power of advanced, multi-core processors and expansive grid computing networks.

With the introduction of F#, developers will gain access to a functional programming language in Visual Studio that's fully compatible with the .NET object model and libraries, and plays well with other .NET languages and resources like WPF and DirectX.

"This is one of the best things that has happened at Microsoft ever since we created Microsoft Research over 15 years ago," Somasegar wrtes in his blog entry. "We will be partnering with Don Syme and others in Microsoft Research to fully integrate the F# language into Visual Studio and continue innovating and evolving F#."

In his own blog, Microsoft researcher Syme writes:

Looking ahead, we'll be initially focused on putting the finishing touches on "V1" of the language design, improving the compiler, tools and Visual Studio project system, completing the language specification and augmenting F# with the libraries and tools needed to make it truly powerful in application areas particularly suited to functional programming.

This is exciting stuff, frankly, even if it won't immediately change the day-to-day jobs of most .NET developers. With F#, Microsoft is setting the direction toward the future of programming, one defined by multi-core processors, grid-enabled applications and intelligent abstraction. During an earlier interview, Microsoft Fellow Anders Hejlsberg gave us an idea of what he expected down the road:

There was once a hope you could just type "/parallel" in your compiler and it could take advantage of multiple processors. Well no, unfortunately that's not panning out. You need to write your program in a different way that is more amenable to execution by smarter infrastructure. And declarative programming and functional programming are probably the best candidates today for really taking advantage of all of that multi-core power we are getting.

What do you think of the addition of F#? And what new languages or other changes would you like to see Microsoft add to .NET and Visual Studio? E-mail me at [email protected].

Posted by Michael Desmond on 10/31/2007 at 1:15 PM4 comments

Testers Get a Moment in the Spotlight

Microsoft just launched a new Web site aimed directly at software QA and testing professionals. Called Tester Center, the new site aims to bring testers together to share experiences and best practices, get advice and access useful content.

The site is headed up by James Whitaker, an early innovator in the area of model-based testing and currently a Microsoft security architect working in the Trustworthy Computing Initiative at Redmond.

If you're involved with software testing at your organization, the Tester Center might be worth a bookmark. Have you had a chance to check the new site out? Let me know your thoughts at [email protected].

Posted by Michael Desmond on 10/24/2007 at 1:15 PM0 comments

RDN Innovator Awards Deadline Nov. 15!

The deadline for submitting entries to the RDN Innovator Awards has been extended two weeks to Nov. 15. The program recognizes outstanding efforts in development, with a focus on shops aligned with Microsoft Windows and the .NET stack. Entries are accepted across a range of independent categories.

Do you have a software development project that's worthy of recognition? Download the RDN Innovator Awards entry form here.

Also check out the ADT Innovator Awards. Now in its 13th consecutive year, the ADT Innovator Awards program recognizes outstanding development on non-Microsoft platforms.

The deadline for both is Nov 15. Sign up now!

Posted by Michael Desmond on 10/24/2007 at 1:15 PM0 comments

Asked and Answered: More Secure .NET Development

Dinis Cruz spends a lot of time worrying about .NET security. The well-known security consultant and trainer is chief security evangelist of the Open Web Application Security Project (OWASP), which aims to improve software security.

RDN contributor John Waters caught up with Cruz at a recent industry event. You can read more about this in the Nov. 15 issue of Redmond Developer News magazine.

RDN: In a nutshell, what's your biggest security concern?
We're not putting enough resources and investment into sandboxing technology. The consequence is that developers aren't taking sandboxing seriously anymore.

In ASP.NET, the "sandbox" is called Code Access Security.
Yes, both .NET and Java allow for the creation of a sandbox, which can be enabled and disabled. The problem is, everyone disables it. I think that about 99 percent of the code out there runs with Full Trust with no sandbox -- and I think I'm being generous with that 1 percent.

Your favorite conference demo seems to be something you call "rooting the CLR." What is that?
This is one way to expose the dangers of Full Trust ASP.NET code. I show how, with Full Trust, I can load some .NET code and change the framework behavior.

If this is such a problem, why aren't Microsoft and Sun doing something about it?
I've argued with Microsoft quite a lot about this, and they always listen and they usually agree with me. But their clients aren't demanding it, and the developers don't like putting in all the extra work that it takes to safely contain malicious code, or benign code that could be executed in a malicious way. So, not much gets done.

I've read that you're interested in getting developers to go beyond their comfort zone when it comes to security. Is this a developer problem?
I don't believe that it's the fault of the developer. I think they're too often used as the scapegoats in all this. Remember that they are paid for features and speed, not security. In fact, it doesn't make business sense to write secure code today. Unless it's something really obvious, the users can't evaluate the security of an application. If you're really on the firing line, as many of Microsoft's products are, then you do a bit of work on that. But in most cases, if the attackers aren't exploiting it, the companies don't feel the need to code securely.

Cruz is deeply concerned that dev shops aren't doing more to isolate their code. Does he have a point? What would it take for your company to make secure code a higher priority, and what issues have you run into when trying to improve code security? E-mail me at [email protected].

Posted by Michael Desmond on 10/24/2007 at 1:15 PM0 comments

The Facebook Phenomenon

According to a recent Forrester Research survey, 28 percent of enterprises with 500 or more employees have some form of social networking initiative, while 20 percent are considering it. Behind these figures: the runaway popularity of social networking services like MySpace, Facebook and LinkedIn. The buzz around these sites jumped recently, after Facebook announced it would open its APIs to developers.

What's at stake here? Potentially, a lot. Facebook has a huge and growing audience that includes a rapidly expanding business clientele. Apps linked into the Facebook platform using its APIs can be immediately accessed and leveraged by Facebook users, removing much of the friction in delivering services across organizations.

RDN Executive Editor Jeffrey Schwartz caught up with Burton Group Principal Analyst Mike Gotta. According to Gotta, major platform players like Microsoft, IBM and BEA are well aware of Facebook's appeal and are working to provide social networking systems. He says the key issue retarding Facebook adoption (compared to maturing software like IBM Lotus Connections and BEA AquaLogic Pages) is the lack of robust policy management for managing roles, security and workflow.

From a developer perspective, Gotta warns dev managers to carefully consider issues related to information gathering and dissemination. He also notes another challenge when it comes to developing social networking applications.

"Designing social applications is different than designing business applications," Gotta said. "It's not like you're processing a transaction or the typical CRM, ERP or line-of-business application."

Is your company looking to deploy a social networking platform as a way to link individuals and streamline information flow? E-mail me at [email protected].

Posted by Michael Desmond on 10/17/2007 at 1:15 PM0 comments

Cross-Build Injection Threatens App Security

Fortify Software is one of the leading providers of application security solutions for development shops. So when its researchers came across a new type of vulnerability that affects the application build process used in open source software projects, it got my attention.

According to Fortify, cross-build injection exploits "allow a hacker to insert code into the target program while it is being constructed." Discovered by Fortify while working with the Java Open Review Project, cross-build injection attacks represent a shift by hackers, from now-fortified OSes and applications toward the less well-protected application development stack.

Open source projects, which are typically widely distributed and employ automated compilation and other routines, offer an attractive target for cross-site injection. According to the Fortify announcement:

"Once an attacker compromises either the server that hosts a component or the DNS server that the build machine uses to locate that server, the attacker can leverage these vulnerabilities to take full control of the build machine and possibly other machines on the remote network."

I had a chance to pose some questions to Brian Chess, co-founder and chief scientist at Fortify. Here's what he had to say:

How serious is the threat posed by cross-built injection? Now that we're seeing it, can we expect to see more efforts to bring this attack to dev shops?
Once an organization has licked problems like buffer overflow and SQL injection, this might just be the easiest way for an attacker to slip code into the company. We expect that the attack will grow in popularity at the same rate that automatic dependency management systems grow in popularity. More targets equal more attacks.

Are there things dev shops can do, outside of the Fortify offerings, to defend or blunt these types of attacks? What kinds of changes to practices and infrastructure might be called for?
The first and simplest is to refrain from adopting automated dependency management systems altogether. Managing dependencies manually eliminates the potential for unexpected behavior caused by the build system.

The second is a hybrid of the traditional manual dependency management approach and the fully automated solution that is popular today: Run your own internal dependency server. The biggest advantage of the manual build process is the decreased window of attack, which can be achieved in a semi-automated system by replicating external dependency servers internally.

The third builds on the second: Introduce a system for vetting any open source code that is introduced into the build. This is the only way to make sure the code is acceptable.

Does this type of attack represent an escalation of threat as attackers move up the pipeline seeking vulnerabilities? Any thoughts on what might be next?
Absolutely. There's a thin line between virtue and vice. The more we automate, the more we leave room for abuse. We are open to attack anywhere people place trust without understanding what they are trusting. In particular, we expect to see more vulnerabilities in mobile devices and embedded systems.

You can read a white paper on the cross-build injection vulnerability here (PDF).

What development-stage security issues are most concerning to you? E-mail me at [email protected].

Posted by Michael Desmond on 10/17/2007 at 1:15 PM0 comments

Adobe Ascendant

We've spent a lot of time and ink covering Microsoft's Silverlight technology, and for good reason. Initially regarded as a simple Flash competitor for delivering rich media over the Web, Silverlight quickly emerged as a full-fledged application delivery platform. And, as seems to be the case with all successful Microsoft offerings, Silverlight is an amazing lesson in leverage. To wit: It enables millions of .NET-savvy developers to write and package applications for use across platforms and across the Web, via the Silverlight player.

Not that Adobe Inc. is going to take all this sitting down. The company that brought us Flash and basically established the rich Internet application (RIA) shtick isn't done innovating in this market. The Adobe Integrated Runtime (AIR) platform, currently in beta and expected to launch in Q1 of 2008, is attracting a lot of developer attention. Playing against a loyal audience of Flash developers and bolstered by the maturing Flex 3 development environment, AIR has the look of a capable RIA platform.

Perhaps most significant is the work Adobe is doing to win over developers. As Dana Gardner notes in his blog, the new Flex beta supports ASP.NET and enables programmers to create applications from a SQL database using wizards. The availability of embedded local databases is also a key advantage, since it should enable AIR applications to behave in a much more desktop-like fashion than browser-bound Silverlight apps.

At the Adobe MAX show last week, the company trundled out a host of brand-name companies that are rolling out AIR, including SAP and Business Objects.

Just don't sleep on Silverlight. Our senior editor Kate Richards was at the ReMIX event in Boston yesterday and she says developers there were very excited about Microsoft's RIA platform. Her take: Dev shops find Silverlight to be very manageable -- a far cry from their experience working with the Windows Presentation Foundation native to .NET Framework 3.0.

Is your shop looking at Adobe AIR? If so, we'd like to hear from you. What are your thoughts on Adobe's RIA platform and how does it stack up compared to Silverlight? E-mail me at [email protected].

Posted by Michael Desmond on 10/10/2007 at 1:15 PM1 comments

Facebook: Fad or Framework?

Steve Ballmer may have been showing his age last week, when he called out the Facebook social networking site as a "fad" and questioned the value of the technology used to make it go.

"I think these things [social networks] are going to have some legs, and yet there's a faddishness, a faddish nature about anything that basically appeals to younger people," Ballmer was quoted as saying in an Oct. 2 article in the Times Online. You can read the full article here.

Reading this, I can almost picture Ballmer out on his porch, in boxer shorts and black socks, yelling at a bunch of neighborhood kids to get off his lawn.

One of those kids might be Rodney Rumford. He's president of a technology and strategy firm that focuses on Facebook application development.

"What he doesn't understand is Facebook literally changes the way people communicate," Rumford said. "It provides increased efficiency in discovering information and sharing information, and information finds me...Facebook is a social networking site. But if you float up 10,000 feet, it's really a communication platform."

What's more, Rumford thinks that communication platform is going to have a broad impact on programmers -- a very broad impact. "Every developer needs to know HTML, correct? I think in five years, every developer is going to have to know [Facebook Markup Language] on a basic level," Rumford said.

Is Ballmer getting crotchety or is Rumford just getting way ahead of himself? You tell me. Is there a role for a Facebook-type platform in corporate development and, if so, what might we expect from it? E-mail me at [email protected].

Posted by Michael Desmond on 10/08/2007 at 1:15 PM0 comments

Leaving Live

Frequent RDN contributor Mary Jo Foley has the goods on yet another high-profile defection from Microsoft's Live business unit. This time, the departee is Danny Thorpe, formerly a senior program manager and architect in the Windows Live Platform group. Thorpe is leaving to work with a startup called Cooliris. You can read Foley's blog posting here.

As Foley recounts, Thorpe originally came to Microsoft in April 2006 by way of Borland and Google and was one of the key minds behind the Borland Delphi programming language. You can read Danny Thorpe's blog account here.

Thorpe's defection comes hot on the heels of a couple of other Live leavings. Live Search's Erik Selberg left Microsoft for about a week and a half ago (here's Erik's blog post on his decision). A couple of days later, Windows Live's Bubba Murarka let fly the news that he was leaving Microsoft to launch his own business.

Microsoft's Windows Live effort is hardly on the verge of collapse. But these kinds of defections are interesting, given how quiet the company has been about the evolution of Live as a development platform, which at one time was rumored to be on track for the end of last year. What do you think? E-mail me at [email protected].

Posted by Michael Desmond on 10/08/2007 at 1:15 PM0 comments

Back to School

Six months ago or so, I interviewed Microsoft security expert Mike Howard about the challenge his company faced as it worked to make the development of fundamentally secure software a core mission of every project. Known as Security Development Lifecycle (SDL), the effort took years to complete, and ultimately resulted in the release of much more secure code.

One complaint Howard voiced in that interview was the lack of security-related awareness and training among entry-level programmers arriving at Microsoft. He specifically pointed a finger at undergraduate institutions, which he said were producing programmers who didn't have to consider code vulnerabilities during their formal education. As a result, Microsoft now sends new arrivals to a weeks-long security training program, just to get them up to speed. In a sense, Microsoft is doing the work that schools should've accomplished.

We've heard other complaints, as well, about college-level programs.

Our senior editor, Kathleen Richards, is working on an upcoming feature about computer science education in colleges and graduate schools, and how it's changing (or not changing) to meet modern challenges. We want to hear from you. If you're hiring newly graduated programmers, what are you noticing?

And as a development manager, if you could send a message to the people who run the computer science curricula at major schools, what would you want to say to them? Now is your chance. E-mail me at [email protected].

Posted by Michael Desmond on 10/03/2007 at 1:15 PM0 comments

The Future of Development Is...Facebook?

Facebook is fast transforming from its roots as a social networking site for college students into a full-fledged development platform that has drawn Microsoft's interest. Certainly, there's keen and growing interest in extending the benefits of Facebook's community network model into the professional sphere.

Is your company's CEO beating down IT's door, asking for Facebook or something like it? Or do you think Facebook and platforms like it are a passing fad, as Steve Ballmer recently suggested? E-mail me at [email protected].

Posted by Michael Desmond on 10/03/2007 at 1:15 PM2 comments

Upcoming Events