It seems that the IT world according to Microsoft is changing, and it could be for the better.
For example, Microsoft’s Professional Developers Conference in Los Angeles last month offered the usual whiz-bang demos and cheering sessions for upcoming products that one expects from a gathering
designed to excite developers about a platform.
There were sessions on topics ranging from the basic use of APIs to esoteric constructs in C#, plenty of previews of the new tools in the upcoming version of Visual Studio, codenamed Whidbey, and of the next version of Windows, codenamed Longhorn.
Hands-on labs provided the opportunity to play with the new toys, giving developers the chance to see how they like them, and Microsoft the opportunity to receive feedback from the folks who will actually be using the currently embryonic products.
Standard stuff – except for the last day.
On that day, there was, of all things, a security symposium. A darned good one, I might add.
Microsoft’s Security Business Unit demonstrated how exploits happen, and described best practices, complete with code examples, designed to prevent the vulnerabilities that allow them.
Prefixing his remarks with “”I’m sure you already know this””, one presenter described the dreaded buffer overrun in detail (and I’m sure he was sure a lot of those present wouldn’t have known a buffer overrun if it bit them on the ankle!). He explained how the bulk of vulnerabilities in software are caused by neglect — the programmer trusts that inputs are valid, and doesn’t check them for length or content. Then he showed the consequences of that misplaced trust: SQL injection attacks and integer overflow attacks, stack and heap overruns and other forms of evil. Microsoft’s developers are as plagued with these issues as any; over a third of the security bulletins it has issued this year are concerned with these kinds of holes.
Scary stuff.
The symposium does show, however, that Microsoft has, at least intellectually, grasped the concepts of secure development. The conference materials even included a fat volume on the subject, stuffed full of hints and useful code snippets. According to the symposium presenters, the company has also developed internal tools to help locate code problems, and plans to productize those tools for other developers. But, as chairman and chief software architect Bill Gates has noted, it still has a long way to go.
The next initiative will be a security-oriented service pack for Windows XP that provides a better firewall, and will disable unnecessary, vulnerable services. And Longhorn is being built, they say, in a more hole-free manner – but it’s at least a couple of years away. Meanwhile, it will be interesting to see whether developers actually took home the ideas on secure development.