home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



 
NetNews
N E W S / A N A L Y S I S  


Microsoft Defies Human Nature With Built-In Bug Catcher

  March 5, 2003
  By Lori MacVittie


TOC Issue TOC
Printer Print full article
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

Microsoft says it will equip its Visual Studio .Net with a plug-in from security software vendor Sanctum designed to catch common security vulnerabilities at development time. This new feature is intended to let programmers check their code more often for security flaws, helping them release code free of common exploits.

Discuss Join other NWC readers in discussing this article.
The fact that this news is lauded as a great move is indicative of many companies' failure to adequately enforce security and coding policies. It also points to their shoddy code-review processes and the incompetency of some of their programmers. Buffer overflows generally occur when a developer copies one string into another and the length of the former is longer than the length of the latter. The fact that no one checks the length of the string being copied is astounding. The notion that QA processes don't catch such errors is just confounding.

Although documenting test cases and performing unit tests on code is not the most exciting part of development, such tedious tasks are necessary to ensure that the underlying code does not contain defects--especially defects that could cause security breaches.

Introducing an automated method of scanning for vulnerabilities during development is the correct course of action, but if companies are unwilling or unable to create and enforce the necessary coding and QA practices that would ensure compliance, how can they enforce the use of such a tool?

Besides, an automated tool cannot replace due diligence. It can only assist in a company's efforts to reduce its product's security vulnerabilities. Those efforts should include a closer examination of code and better training for developers--and perhaps tougher punishment than a slap on the wrist for developers who continue to introduce exploits.

Anyone familiar with Microsoft's history of developing software vulnerable to buffer-overflow exploits is sure to sense the irony. We can only hope Microsoft's endorsement of Sanctum's product by including it with the Microsoft development environment means the programmers responsible for developing Microsoft's other products will be using it, and using it often.

Visit www.nwc.com/buzzcut/ to find more technology news analysis and post your own opinions.







Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights