Microsoft Defies Human Nature With Built-In Bug Catcher

Microsoft says it will equip its Visual Studio .Net with a plug-in from security software vendor Sanctum designed to catch common security vulnerabilities at development time. This new feature is intended to let programmers check their code more often for security flaws, helping them release code free of common exploits.

The fact that this news is lauded as a great move is indicative of many companies' failure to adequately enforce security and coding policies. It also points to their shoddy code-review processes and the incompetency of some of their programmers. Buffer overflows generally occur when a developer copies one string into another and the length of the former is longer than the length of the latter. The fact that no one checks the length of the string being copied is astounding. The notion that QA processes don't catch such errors is just confounding.

Although documenting test cases and performing unit tests on code is not the most exciting part of development, such tedious tasks are necessary to ensure that the underlying code does not contain defects--especially defects that could cause security breaches.

Introducing an automated method of scanning for vulnerabilities during development is the correct course of action, but if companies are unwilling or unable to create and enforce the necessary coding and QA practices that would ensure compliance, how can they enforce the use of such a tool?

Besides, an automated tool cannot replace due diligence. It can only assist in a company's efforts to reduce its product's security vulnerabilities. Those efforts should include a closer examination of code and better training for developers--and perhaps tougher punishment than a slap on the wrist for developers who continue to introduce exploits.Anyone familiar with Microsoft's history of developing software vulnerable to buffer-overflow exploits is sure to sense the irony. We can only hope Microsoft's endorsement of Sanctum's product by including it with the Microsoft development environment means the programmers responsible for developing Microsoft's other products will be using it, and using it often.

Visit www.nwc.com/buzzcut/ to find more technology news analysis and post your own opinions.