Microsoft TechEd Conference Will Cast Light On Stopping Bugs In Development - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
6/3/2005
04:08 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft TechEd Conference Will Cast Light On Stopping Bugs In Development

A new tool for Visual Studio is part of a growing effort to use automated tools to head off vulnerabilities before they end up in code.

Troubleshooting security problems in software that runs the business is a high priority for IT staffs. But there's a growing recognition that catching vulnerabilities during development should be an even higher one.

Next week at its TechEd Conference 2005 in Orlando, Fla., Microsoft will demonstrate a code scanner that can identify a security problem, lead a developer to the line of source code that contains it, and even help fix it. SPI Dynamics Inc.'s DevInspect and SecureObjects provide the capabilities. The .Net security tools are being integrated with Microsoft's Visual Studio 2005, expected to be available late this year.

Such tools are becoming more common in the Microsoft and Java/C++ development environments. "Traditionally there's been some looking at the code base, but when you start looking at 10 to 20 million lines for vulnerabilities, that's a challenge," says Howard Schmidt, former special adviser on cyberspace security to the White House and one-time chief security officer for Microsoft. Automated tools can look more methodically and tirelessly than the human eye, Schmidt says.

One source of such technology is traditional software-testing tool suppliers. Mercury Interactive Corp., for example, has licensed SPI Dynamics' code scanner and fixer and offers it with five of its test products.

But startups that have made security a specialty are entering the scene. In addition to SPI Dynamics, there's Coverity Inc., an outgrowth of research by associate professor Dawson Engler at Stanford University's Computer Science Lab. Engler also is Coverity's chief scientist.

With more software being developed for use on the Web, it's critical for developers to understand when they're creating openings for intruders. Engler's research illustrates that many developers assume data inputs from users would be just as they proscribe, leaving an opportunity for intruders to insert JavaScript or HTML code that a server would run as it tried to read the "user" input.

About 80% of existing security exposures, such as buffer overflows or SQL injection, in which SQL commands seize control of a database and are entered instead of requested user data, can be attributed to poor data-input validation, says Caleb Sima, SPI Dynamics' founder and chief technology officer.

Programming efficiency also is becoming more important as companies squeeze IT costs. "Once a security issue shows up in production, it's like putting the software through the development cycle twice. It has to go back to development" to be fixed, says Edward Liebig, principal IT security architect with Computer Sciences Corp. Liebig is former director of IT security at Manulife USA Annuities, now part of John Hancock Financial Services Inc., where he used WebInspect, a code-scanning tool from SPI Dynamics, to review Web apps. He's about to use DevInspect and SecureObjects as part of a CSC development project for a large energy-industry client.

It's important when automatically looking for security holes to not generate a lot of false positives, or conditions that theoretically might leave openings but don't in practice, Liebig says. The best tools, he says, highlight "real, exploitable conditions."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll