Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft Defies Human Nature With Built-In Bug Catcher

Microsoft says it will equip its Visual Studio .Net with a plug-in from security software vendor Sanctum designed to catch common security vulnerabilities at development time. This new feature is intended to let programmers check their code more often for security flaws, helping them release code free of common exploits.

Discuss Join other NWC readers in discussing this article.

The fact that this news is lauded as a great move is indicative of many companies' failure to adequately enforce security and coding policies. It also points to their shoddy code-review processes and the incompetency of some of their programmers. Buffer overflows generally occur when a developer copies one string into another and the length of the former is longer than the length of the latter. The fact that no one checks the length of the string being copied is astounding. The notion that QA processes don't catch such errors is just confounding.

Although documenting test cases and performing unit tests on code is not the most exciting part of development, such tedious tasks are necessary to ensure that the underlying code does not contain defects--especially defects that could cause security breaches.

Introducing an automated method of scanning for vulnerabilities during development is the correct course of action, but if companies are unwilling or unable to create and enforce the necessary coding and QA practices that would ensure compliance, how can they enforce the use of such a tool?

Besides, an automated tool cannot replace due diligence. It can only assist in a company's efforts to reduce its product's security vulnerabilities. Those efforts should include a closer examination of code and better training for developers--and perhaps tougher punishment than a slap on the wrist for developers who continue to introduce exploits.

  • 1