NWC | Buzzcut | Microsoft Defies Human Nature With Built-In Bug Catcher |

Upcoming Events

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

N E W S / A N A L Y S I S

Microsoft Defies Human Nature With Built-In Bug Catcher

March 5, 2003
By Lori MacVittie

	Issue TOC
	Print full article
	E-Mail this URL
	Discuss this article
	Flame the author

Microsoft says it will equip its Visual Studio .Net with a plug-in from security software vendor Sanctum designed to catch common security vulnerabilities at development time. This new feature is intended to let programmers check their code more often for security flaws, helping them release code free of common exploits.

Join other NWC readers in discussing this article.

The fact that this news is lauded as a great move is indicative of many companies' failure to adequately enforce security and coding policies. It also points to their shoddy code-review processes and the incompetency of some of their programmers. Buffer overflows generally occur when a developer copies one string into another and the length of the former is longer than the length of the latter. The fact that no one checks the length of the string being copied is astounding. The notion that QA processes don't catch such errors is just confounding.

Although documenting test cases and performing unit tests on code is not the most exciting part of development, such tedious tasks are necessary to ensure that the underlying code does not contain defects--especially defects that could cause security breaches.

Introducing an automated method of scanning for vulnerabilities during development is the correct course of action, but if companies are unwilling or unable to create and enforce the necessary coding and QA practices that would ensure compliance, how can they enforce the use of such a tool?

Besides, an automated tool cannot replace due diligence. It can only assist in a company's efforts to reduce its product's security vulnerabilities. Those efforts should include a closer examination of code and better training for developers--and perhaps tougher punishment than a slap on the wrist for developers who continue to introduce exploits.

Anyone familiar with Microsoft's history of developing software vulnerable to buffer-overflow exploits is sure to sense the irony. We can only hope Microsoft's endorsement of Sanctum's product by including it with the Microsoft development environment means the programmers responsible for developing Microsoft's other products will be using it, and using it often.

Visit www.nwc.com/buzzcut/ to find more technology news analysis and post your own opinions.

Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

Disk Storage, Heal Thyself

No-maintenance RAID arrays will deliver more efficiency and higher performance, and save money to boot by obviating expensive maintenance plans through built-in spares and other self-healing features. IT groups, especially those with remote locations, could save themselves a bundle by adopting this technology sooner rather than later.

Silo to Gold Mine: What CMIS Can (and Can't) Do for ECM Integration

Enterprises know they could wring more value from their enterprise content management system investments. Unfortunately, integration and interoperability are sticking points. In this Strategy Session report, we investigate whether Oasis' new open Content Management Integration Services standard could be the answer to these woes.

Download: 10 Gotchas That Derail ECM Initiatives

Enterprise content management deployments are fraught with dangers, such as weak search capabilities and poor requirements definitions, that can grind projects to a halt. This report helps CIOs and project leaders move beyond gridlock, choose the right tools and foster seamless integration.

Video

Network Computingwww.networkcomputing.com

Home

News and Analysis

Tech Centers

Channels

Bloggers

Upcoming Events

Executive conference

Vendor Newsfeed

Subscribe to Newsletter

Best of the Web

Data deduplication: Declawing the clones

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

WAN Optimization Whitelists and Blacklists

WAN Optimization as a Managed Service: It's Not About the Cost

Premium Content

Disk Storage, Heal Thyself

Silo to Gold Mine: What CMIS Can (and Can't) Do for ECM Integration

Download: 10 Gotchas That Derail ECM Initiatives

Video

Most Popular

Whitepapers

BlogRoll

CIOs & IT Professionals

Software Developers

Web & Digital Professionals

Vertical Markets

Government Officials

Global Communications Service Providers

Most Popular

TechWeb Reader Services