Desmond File

Blog archive

Secure Your Code

Microsoft technical fellow Michael Howard has probably forgotten more about secure software development than you or I will ever know. During a recent interview, the man behind Microsoft's strategic Security Development Lifecycle (SDL) program and the co-author of the book Writing Secure Code told me that young programmers entering the industry are simply not being trained about security issues.

"Really good software engineering skills are in incredibly short supply. We see that when we hire engineers out of school. They know nothing about building secure software," Howard told me. "They don't know the issues -- it's as simple as that. They don't understand the issues."

This is a lament I've heard before, and one that extends forward to deep concerns about the general state of corporate software development. Internal development shops are simply not doing enough to harden their code, particularly in an era when attacks are increasingly moving to the application layer.

Howard points a finger at universities that fail to integrate security concepts into their computer science curricula. He also singles out corporate development shops for failing to address secure development concepts, both from a training and operational standpoint. And that's not the worst of it, says Howard.

"You know, the most dangerous thing is the number of people who think they know how to build secure software, when they don't. That's the scary thing," he said.

Is Michael Howard on to something? Tell us what your company is doing to secure code against attacks and vulnerabilities, and how flawed development might have helped create a crisis in the past. Write me at [email protected].

Posted by Michael Desmond on 04/25/2007

comments powered by Disqus


Subscribe on YouTube