Security holes force firms to rethink coding processes

Microsoft's issuance last week of 14 security patches raised fears that worm-based attacks would follow and sparked discussion on how to better build code.

Of the holes identified in Windows XP, Windows Server 2003 and older versions, some are so critical that exploiting them could lead to total compromise of machines and files, security experts say. But the way to eliminate such vulnerabilities isn't via patches, but in creating tools and processes for building more secure code and weeding out problems in the development phase.

It's a problem that bedevils not only Microsoft but any large company that writes its own applications or source code. Many organizations try to stomp bugs by having the chief software architect and programmers work in a formal process with the security manager's staff as part of the code-evaluation process, says Steve Orrin, CTO at Sanctum.

Gathering dust

Although companies often make an effort to train developers about problems such as buffer overflows, Orrin says, the corporate policy ideas contained in written secure-coding practices "usually sit on a shelf gathering dust." The pressure to get product out the door sometimes means the code review isn't as thorough as it could be.

Michael Howard, Microsoft's senior program manager in the security business and technologies unit, last week refuted any suggestion that Microsoft ships any product before thorough security-based code evaluation.

"We've delayed products such as Windows Server 2003 for nine months because of security issues," says Howard, whose job is to foster expertise among Microsoft programmers through a continuing education process and what he describes as a "buddy system" that teams security experts with programmers.

But Microsoft only has about a dozen of these security specialists to interact with about 20,000 software engineers. Howard says Microsoft is looking at doing more online training to be able to "scale" the process.

Redmond makes use of homegrown code-review tools, including the desktop-based Prefast for static code review and Prefix that runs on servers. Prefast eventually might be added to Microsoft's Visual Studio development tool. Microsoft also sometimes turns to outside firms - eEye Digital Security is one - for independent review of products.

In fact, eEye Digital Security months ago uncovered several of the most-critical vulnerabilities that Microsoft identified last week. But eEye COO Firas Raouf says word of the vulnerabilities was kept quiet until a patch could be devised.

EEye Digital Security, which sells vulnerability scanners and will soon announce a host-based intrusion-prevention product, relies on crack-shot bug-hunters and tools developed in-house to pinpoint hard-to-see flaws in software.