Microsoft & Security: It Isn't #2, But It Is Trying Harder. Sort of.
There's a very nice article that went up on MSDN last month about security: Guidance on Patterns & Practices: Security by Keith Pleas. Several security-minded bloggers have written about it, so this hopefully is not news. But I'd like to share a few observations.
Keith is not a Microsoft employee, but he has been a contractor to them in various capacities for years, lately with the Patterns & Practices group that tells we who implement Microsoft technologies how to do things the best way, or at least the Microsoft way.
What I really found interesting in the article is not so much the technical information--it's a fairly high-level view--but the admission that Microsoft doesn't always release sample code that shows okay practices, much less best practices, for security. Keith talks about two specific examples, the widely discussed, used, and studied Duwamish Books and Fitch & Mather Stocks. At best, the two apps include some minor security comments in the docs that indicate that in a “real” application you surely wouldn't do such an unsafe, insecure implementation. But there are a lot of real world apps out there that do just that, either because they are extensions of one of the sample apps or because the samples were used for the basis for another app.
This is generally Good News. Even though a 'Softie didn't write it, Microsoft published it. One of the promises Microsoft has made for the 2005 edition of its development tools is to improve communications about secure practices, including how it does its sample apps. This is going to make it harder to set up the samples because you'll have a few security-related hoops to jump through; gone are the days of xcopy deployment to play with code.
The article is an interesting read as Keith puts the sample apps through a mini security review. While there isn't much depth there--the article would be many times longer if there were--it's a good exercise and a good warning about using Microsoft sample code blindly without carefully examining and analyzing it. (In fairness to the samples, some were written outside Microsoft and in more innocent times. But those are lame excuses in today's security environment, particularly some of the flaws were well-known when the samples were created or last updated. The company should pull them when they are discovered to have security flaws.)
Alas, appearance of this article doesn't mean that all is well with security in Microsoft-land. Keith's Patterns & Practices group just released their Enterprise Library 2005 with seven newly updated application blocks. The problem is that if you install it to the default location, under c:\Program Files, when you try to use them you get an error saying that you can't write to a file. (Thanks to Robert Hurlbut for first bringing this to my attention.) Which shows that the folks that developed EntLib aren't running with lesser privileges, and these tools didn't get a decent security review. Will Microsoft ever learn???? Or will they keep shipping software with these kinds of problems, even while preaching that the rest of the world use good security practices? Aargh!
Anyway, check out Keith's article. It's a worthwhile read.