Editor's Note: Start Your Own Security Push

Article
10/23/2019

Editor's Note

Start Your Own Security Push

Earlier this year, Bill Gates outlined a comprehensive vision for trustworthy computing. Simply put, to achieve trustworthy computing developers must pay attention to security and reliability—the two biggest issues facing the world of computing today. This push was underlined by efforts at Microsoft, where development was all but halted for a month so that every current piece of code could undergo a security review.

Of course, security gets more complex as computers are integrated more deeply into our daily life. Back in the early 1990s, security consisted of virus-checking floppy disks before putting them in your machine and having Unix system administrators look for back doors. A few years ago, when we heard the word security here we thought about the guard at One MSJ Plaza. You know, the one who thinks that just because he's wearing a gray blazer, he can ask us for ID and tell us we can't "borrow" computers on a Saturday morning. Well, you're not the boss of us!

Now, almost everyone connects to the Internet. There are millions of machines connected 24 hours a day through broadband. As targets have become more plentiful, attacks have become more widespread. And as hackers have become more sophisticated, attack types have mutated. (Or, to be honest, a few hackers have become more sophisticated, and thousands of wannabes just copy their scripts verbatim.) Since everyone's running anti-virus software now, hacking targets other paths into your system—open ports, breakable code, and social engineering.

Anti-virus software is more vital than ever, but right now it's only a small part of your job as a developer. There are so many ways to break your code today that it's imperative that you build security in from the beginning. If you're a program manager, keep security considerations in mind as you plan products. Regular code reviews and complete test suites are vital for programmers and testers who don't want their program to appear on some bug-of-the-day Web site.

As you may have noticed from our cover, this is a special issue for our magazine. MSDN Magazine (as well as our predecessors MSJ and MIND) has created theme issues before—from Windows 95 to Microsoft .NET to Windows XP. However, those issues were all based on products. For the first time, we're building an issue not around a new product but around a concept.

At the same time, the focus on security is nothing new for us. MSJ first ran Keith Brown's Security Briefs column four years ago. A quick check of our topic-based search engine shows that we've published over 25 articles about computing security. Not bad for starters, but there's still much more to discuss.

In this month's issue, we'll be attacking the topic of security from several angles. The first thing you should do is review the basics of creating secure code. Before you start, read our article by security experts Michael Howard and Keith Brown. They discuss 10 things every programmer should know about security. It seems simple, but it's the basic problems that trip up most systems.

The .NET Framework introduces a wholly new concept of security (at least for those steeped in the Windows tradition). Instead of basing security on objects, it's based on tasks. That's a gross, somewhat inaccurate generalization, so don't take our word for it. Instead, read Don Box's article on .NET security.

Several attacks in the past year have targeted servers running Microsoft Internet Information Services (IIS). No matter how safe a system is, the more ports you leave open, the more chances a hacker has to find a hole. Windows .NET Server will ship with IIS 6.0, which showcases several key security advances. This month, Wayne Berry will walk you through some of these new features and compare them to the way you did things in IIS 5.0.

If you're considering Passport-based authentication for your site but you're worried about security, you now have more options, as explained by Michael Kogotkov-Lisin in his article on secure sign-in through Passport. This is of particular use if your site contains confidential information (like medical records or credit card data).

Finally, there are ways to set off red flags when your code has been compromised. Jason Coombs discusses a method for hashing your ASP.NET code, then checking it against a stored key. If any problems arise, you'll be able to tell that your source code has somehow been replaced.

Everyone should be looking at security in their systems as an ongoing process. Even if security is not your primary job, you should make it part of your work. A system is only as strong as its weakest link, and you don't want to be responsible for the point of breakthrough. Your customers and team will thank you.

—J.T.

Active Directory, ActiveX, FrontPage, JScript, Microsoft, MSDN, MS-DOS, Visual Basic, Visual C++, Visual Studio, Windows, Windows NT, and Win32 are registered trademarks of Microsoft Corporation. Other trademarks or tradenames mentioned herein are the property of their respective owners.

MSDN Magazine does not make any representation or warranty, express or implied with respect to any code or other information herein. MSDN Magazine disclaims any liability whatsoever for any use of such code or other information.

Additional resources