ASP.NET VERSIONS: ALL
Microsoft Confronts the Realities of Security
By Don Kiely
MSDN recently published Guidance on Patterns & Practices: Security, a very nice article by Keith Pleas. Although several security-minded bloggers have written about it, I d like to share a few observations.
The article is an interesting read, as Keith puts the sample apps through a mini security review. Although there isn t much depth there the article would be many times longer if there were it s a good exercise and a good warning about using Microsoft sample code blindly without carefully examining and analyzing it. (In fairness to the samples, some were written outside Microsoft and in more innocent times. But those are lame excuses in today s security environment, particularly because some of the flaws were well-known when the samples were created or last updated; the company should pull them when they are discovered to have security flaws.)
Keith is not a Microsoft employee, but he has been a contractor to them in various capacities for years, lately with the Patterns & Practices group that tells developers who implement Microsoft technologies how to do things the best way or at least the Microsoft way.
What I really found interesting in the article is not so much the technical information it s a fairly high-level view but the admission that Microsoft doesn t always release sample code that shows okay practices, much less best practices, for security. Keith talks about two specific examples: the widely discussed, used, and studied Duwamish Books and Fitch & Mather Stocks. The two apps include some minor security comments in the docs that indicate that in a real application you surely wouldn t do such an unsafe, insecure implementation. After all, these apps were originally written to show off certain Microsoft technologies, not to demonstrate good security practices. But there are a lot of real world apps out there that are implemented using these apps, either extending one of the sample apps or using them as a template for an application.
Nevertheless, the fact that Microsoft published Keith s article is good news, even though it was not written by an employee. One of the promises Microsoft has made for the 2005 edition of its development tools is to improve communications about secure practices, including how it implements its sample apps.
An unfortunate byproduct of this new emphasis on security is that it is going to make it harder to set up the samples to play with, because you ll have a few security-related hoops to jump through. Gone are the days of xcopy deployment to play with code.
Alas, appearance of this article doesn t mean that all is well with security in Microsoft-land. Keith s Patterns & Practices group just released their Enterprise Library 2005 with seven newly updated application blocks. The problem is that if you install it to the default location, under C:\Program Files, when you try to use them you get an error saying that you can t write to a file. (Thanks to Robert Hurlbut for first bringing this to my attention.) Which shows that the folks who developed EntLib aren t running with lesser privileges, and these tools didn t get a decent security review.
Will Microsoft ever learn? Or will they keep shipping software with these kinds of problems, even while preaching that the rest of the world use good security practices? Aargh!
Anyway, check out Keith s article. It s a worthwhile read.
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].