Desmond File

Blog archive

Secure Your Code

Microsoft technical fellow Michael Howard has probably forgotten more about secure software development than you or I will ever know. During a recent interview, the man behind Microsoft's strategic Security Development Lifecycle (SDL) program and the co-author of the book Writing Secure Code told me that young programmers entering the industry are simply not being trained about security issues.

"Really good software engineering skills are in incredibly short supply. We see that when we hire engineers out of school. They know nothing about building secure software," Howard told me. "They don't know the issues -- it's as simple as that. They don't understand the issues."

This is a lament I've heard before, and one that extends forward to deep concerns about the general state of corporate software development. Internal development shops are simply not doing enough to harden their code, particularly in an era when attacks are increasingly moving to the application layer.

Howard points a finger at universities that fail to integrate security concepts into their computer science curricula. He also singles out corporate development shops for failing to address secure development concepts, both from a training and operational standpoint. And that's not the worst of it, says Howard.

"You know, the most dangerous thing is the number of people who think they know how to build secure software, when they don't. That's the scary thing," he said.

Is Michael Howard on to something? Tell us what your company is doing to secure code against attacks and vulnerabilities, and how flawed development might have helped create a crisis in the past. Write me at [email protected].

Posted by Michael Desmond on 04/25/2007 at 1:15 PM

comments powered by Disqus


  • Microsoft's Tools to Fight Solorigate Attack Are Now Open Source

    Microsoft open sourced homegrown tools it used to check its systems for code related to the recent massive breach of supply chains that the company has named Solorigate.

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

Upcoming Events