Desmond File

Blog archive

Asked and Answered: More Secure .NET Development

Dinis Cruz spends a lot of time worrying about .NET security. The well-known security consultant and trainer is chief security evangelist of the Open Web Application Security Project (OWASP), which aims to improve software security.

RDN contributor John Waters caught up with Cruz at a recent industry event. You can read more about this in the Nov. 15 issue of Redmond Developer News magazine.

RDN: In a nutshell, what's your biggest security concern?
Cruz:
We're not putting enough resources and investment into sandboxing technology. The consequence is that developers aren't taking sandboxing seriously anymore.

In ASP.NET, the "sandbox" is called Code Access Security.
Yes, both .NET and Java allow for the creation of a sandbox, which can be enabled and disabled. The problem is, everyone disables it. I think that about 99 percent of the code out there runs with Full Trust with no sandbox -- and I think I'm being generous with that 1 percent.

Your favorite conference demo seems to be something you call "rooting the CLR." What is that?
This is one way to expose the dangers of Full Trust ASP.NET code. I show how, with Full Trust, I can load some .NET code and change the framework behavior.

If this is such a problem, why aren't Microsoft and Sun doing something about it?
I've argued with Microsoft quite a lot about this, and they always listen and they usually agree with me. But their clients aren't demanding it, and the developers don't like putting in all the extra work that it takes to safely contain malicious code, or benign code that could be executed in a malicious way. So, not much gets done.

I've read that you're interested in getting developers to go beyond their comfort zone when it comes to security. Is this a developer problem?
I don't believe that it's the fault of the developer. I think they're too often used as the scapegoats in all this. Remember that they are paid for features and speed, not security. In fact, it doesn't make business sense to write secure code today. Unless it's something really obvious, the users can't evaluate the security of an application. If you're really on the firing line, as many of Microsoft's products are, then you do a bit of work on that. But in most cases, if the attackers aren't exploiting it, the companies don't feel the need to code securely.

Cruz is deeply concerned that dev shops aren't doing more to isolate their code. Does he have a point? What would it take for your company to make secure code a higher priority, and what issues have you run into when trying to improve code security? E-mail me at [email protected].

Posted by Michael Desmond on 10/24/2007


comments powered by Disqus

Featured

  • GitHub Previews Agentic AI in VS Code Copilot

    GitHub announced a raft of improvements to its Copilot AI in the Visual Studio Code editor, including a new "agent mode" in preview that lets developers use the AI technology to write code faster and more accurately.

  • Copilot Engineering in the Cloud with Azure and GitHub

    Who better to lead a full-day deep dive into this tech than two experts from GitHub, which introduced the original "AI pair programmer" and spawned the ubiquitous Copilot moniker?

  • Uno Platform Wants Microsoft to Improve .NET WebAssembly in Two Ways

    Uno Platform, a third-party dev tooling specialist that caters to .NET developers, published a report on the state of WebAssembly, addressing some shortcomings in the .NET implementation it would like to see Microsoft address.

  • Random Neighborhoods Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the random neighborhoods regression technique, where the goal is to predict a single numeric value. Compared to other ML regression techniques, advantages are that it can handle both large and small datasets, and the results are highly interpretable.

  • As Some Orgs Restrict DeepSeek AI Usage, Microsoft Offers Models and Dev Guidance

    While some organizations are restricting employee usage of the new open source DeepSeek AI from a Chinese company due to data collection concerns, Microsoft has taken a different approach.

Subscribe on YouTube

Upcoming Training Events