Ten Years of Trustworthy Computing at Microsoft: A Developer's Perspective
Published: January 17, 2012
Author: Raffaele Rialdi, Microsoft MVP - Developer Security
Application security is, or should be, a major concern during the entire development lifecycle. At Microsoft, it all began 10 years ago when Bill Gates decided to change the company's approach by introducing the Trustworthy Computing initiative in a famous e-mail addressed to all his employees.
This decision triggered a huge change in software development not only inside Microsoft but also for all developers who use Microsoft tools, libraries, and frameworks.
When it comes to application security, there is no single library, no specific best practice or magic test that can be used as a “silver bullet.” The strategy indicated in the original paper has evolved into the orchestration of several activities whose pillars are Secure by Design, Secure by Default, and Secure in Deployment. These pillars have further evolved through the Microsoft Security Development Lifecycle (SDL), which is now a well-recognized methodology.
The big advantage in having identified such a methodology is that we can achieve a valid risk analysis regardless of the fact that we cannot be aware of every current or future attack technique. For example, SDL principles and processes have been integrated into templates such as the Microsoft Solutions Framework (MSF)-Agile + SDL Process Template for Microsoft Visual Studio Team Server.
However, the absence of a “silver bullet” means that every single developer plays a fundamental role in achieving an acceptable level of security. Furthermore, many project managers/architects tend to have a misconception that application security is something that can be addressed in a later stage of the development lifecycle. As a consequence of this attitude, developers may not be motivated to apply basic security best practices, which, granted, often are not inconsequential to enforce. This is a common pitfall, but failing to identify potential security problems by creating a threat model in the early stages of the development can lead to irreversible vulnerabilities. Threat modeling and security best practices are critical and fundamental steps in SDL methodology.
The awareness of internal Microsoft teams about application security has led to an incredible number of initiatives for developers—all of which are aimed at making it easier to implement security best practices.
Call to Action
On the native development side, my favorite is Safe CRT, which I wrote about in an MSDN article (in Italian) few years ago: Safe CRT are the revised CRT libraries that help the developer mitigate buffer overrun attacks. I should also mention the /GS Visual C++ compiler option, which does not require any effort from the developer while detecting attacks on the call stack.
I would consider the Microsoft .NET Framework itself a quantum leap toward more secure code. Common Language Runtime (CLR) helps developers avoid the mess of free pointers destroying the address space of your application by partitioning the process space in several application domains while preserving application boundaries.
There are, of course, many attacks that can occur even when the code is native or managed. Take, for example, risk number one (according to the OWASP Top 10 for 2010 list): SQL Injection. The developer can avoid SQL Injection by using traditional SQL parameters in conjunction with the Microsoft Web Protection Library (WPL), or by adopting newer Object/Relational Mapping (ORM) architecture technologies such as the Microsoft ADO.NET Entity Framework, which, in conjunction with LINQ, can help you generate SQL statements that are injection-proof.
Another common attack that is hard to manage by hand is cross-site scripting (XSS). I remember the first release of the anti-XSS library in 2006. It's now stronger, easier to use and also available via the NuGet gallery in Microsoft Visual Studio. The library is now a powerful weapon in the developer’s security arsenal and it will be part of the .NET Framework 4.5 release.
Over the years in which the web has evolved, new standards have triggered new frameworks like Microsoft ASP.NET Model View Controller (MVC), which enables an easier management of the AJAX communication pattern. The primary concern when using AJAX is safeguarding the application from cross-site request forgery attacks; MVC offers a default mechanism that helps web developers in these situations.
There is also a long list of good security libraries. The CLR Security libraries on Codeplex are a good example of the excellent work that the CLR team did to use the crypto-algorithms in an easy and secure way.
Beginning with the .NET Framework 3.5, we gained Windows Identity Foundation, an entirely new framework that gives any developer access to the newer standards to implement Claim Based Authentication and Authorization. These are very powerful libraries as they are the pillar of cloud-based security. In fact, the Windows Azure platform offers the amazing Access Control Service that can manage the authentication process by creating tokens that can be shared across every application—whether in the cloud or on-premises.
On the tools side, there are many knives in the developer's pocket. My favorite is the SDL Threat Modeling Tool, but there are other SDL tools worth considering, including the Microsoft Web Application Configuration Analyzer, Attack Surface Analyzer, MiniFuzz and RegexFuzz fuzzers, and the Code Analysis feature integrated in Visual Studio 2010. (Note: As announced at the last BUILD Conference, Code Analysis will be available in the Microsoft Visual Studio Express edition beginning with the next release.)
In 2002, Bill Gates pointed out that Trustworthy Computing was a journey rather than a destination. We are still on this journey; while it’s not one that will ever come to an end, over the course of the past 10 years Microsoft has amassed many indisputable achievements and success stories.
About the Author
Raffaele Rialdi is a senior software developer based in Genoa, Italy. He has a long time experience (since the 1980s) on Microsoft technologies. He is a trainer, speaker in conferences, a consultant, a community leader and, first of all, driving a developer’s group in his company. His favorite languages are C++ and C# and he is currently digging deeper in WinRT technology. He is also very proud of his ninth Microsoft MVP award.