Editor's Note
Security and Whips
Last September,MSDN Magazine published its first-ever issue devoted entirely to the topic of security. Feedback was so positive that we thought "Hey! We can do this again next year!" It's this kind of forward thinking that's behind this year's security issue.
But the truth is, there's so much material to cover that we could do an issue like this every year. We've always been aware of the potentially destructive effects of worms and viruses on our system. However, developer awareness of security issues has really increased over the past couple of years. Since so many applications now send and receive data over the Internet, most apps are now at risk of intrusion. Buffer overruns that used to just crash desktop programs can now be exploited to execute hostile code. If you connect to a port, a script kiddie will find you. If you don't connect to anything, they might still find you through another program.
In most cases, however, security strategy is considered something for IT to deal with. That's backward thinking, and it causes an endless cycle of fire drills as various operating systems and apps fall victim to exploits. (And make no mistake here—despite what you might read, it's not just a problem with Windows, as a quick look through BUGTRAQ (https://www.securityfocus.com/archive/1) will make clear.) Relying upon IT to keep your systems secure is not always going to cut it, especially if they don't have control of your production code. Just like anti-crime programs that address the roots of violence are more successful in lowering crime rates than post-incident enforcement, the best path to eliminating security bugs is to nail them at the source—your code.
The problem with baking security into the code, of course, is that it's not the mindset of most programmers today. Sometimes the fastest and easiest implementation of an idea isn't the most secure. It's enough of a drag to use assert statements and try/catch blocks, and now you're supposed to check strcpy buffers for overflows? We didn't intern in front of a VT100 for three weeks for this kind of treatment!
No one ever said it was going to be easy. However, we've put together lots of helpful tips for you in this issue, from an overview of data-hiding techniques to a firsthand account of how one expert performs security code reviews on products. We now use many of these guidelines to check the code that goes into our magazine. So many tips for writing secure code seem obvious once you hear them, but you'd never know it from looking at some of the programs submitted to us.
And remember, even if you're writing managed code, you can run into problems. Your code won't be able to overrun a memory buffer by itself, but once you go outside your world and send data to another program (even a database) all bets are off. A false sense of security that any unreviewed code won't cause too much damage can lead to sloppiness and potential holes.
This issue of MSDN Magazine is only one of many available security resources. We've published a lot of security-related articles over the past several years; you can browse the list online with our advanced topic listings. You should also check out the MSDN Security Developer Center and the Patterns & Practices site.
And now for the fun portion of the Editor's Note. We get a lot of press releases floating across our New Stuff desk each month. To keep the volume down a bit, we will normally filter out the stuff that's not related to our major areas of focus (building programs with Microsoft tools and technologies). We get press releases from churches, sheet metal manufacturers, limo services in Hong Kong, you name it. However, last week we received one press release that, while not strictly up our alley, caught our eye.
The Guinness World Record for "World's Fastest Whip" was set by whip expert and coach Robert Dante on September 2 at the Dream Circus in Hollywood. Dante set the record by cracking a whip 203 times in one minute, using a 6-foot bullwhip made by Australian whip maker Mike Murphy. The attempt was timed to coincide with the launch of Dante's weekly bullwhip academy at the Dream Circus in Hollywood. For more information, check them out at https://www.wildwestperformers.com.
If you've admired Indiana Jones, or Zorro, or even the Catwoman, this class is your chance to feel the thrill of gracefully and safely cracking a bullwhip.
If this whole magazine thing doesn't pan out for us, at least we've finally figured out a possible backup plan! Now, to fit into this Catwoman suit...
Active Directory, ActiveX, JScript, Microsoft, Microsoft Press, MSDN, Visual Basic, Visual C++, Visual C#, Visual Studio, Windows, Windows NT, and Win32 are registered trademarks of Microsoft Corporation. Windows Server is a trademark of Microsoft Corporation. Other trademarks or tradenames mentioned herein are the property of their respective owners.
MSDN Magazine does not make any representation or warranty, express or implied with respect to any code or other information herein. MSDN Magazine disclaims any liability whatsoever for any use of such code or other information.