You ask: why did Microsoft train ALL developers on Security?

One of you readers asked me to investigate why Microsoft decided to train all developers on Security, rather than targeting either (a) those developers who touch security-related features or (b) one designated “security expert” on each development team.

You asked, I answer with a collection of quotes from various sources, but basically all from the horse’s mouth (yes Michael, that makes *you* the horse in this analogy).  Please enjoy, and feel free to link others you might stumble across…
“We need to teach more people about security. Now, you’re probably a geek, or a geek-wanna-be, and I bet you’re thinking, “ah, he’s trying to sell more copies of his book, he wants to teach people about writing secure code.” Ok, that’s true, I think software designers, developers & testers need to understand what it takes to build secure software; the threats have changed, and security no longer resides in the realm of the Security High Priesthood nor the Security Learned Few. Building secure software is simply part of getting the job done. Just like we learned the basics of optimal algorithms in school, kids coming out of school need to know the basics of building code that will run in that most hostile of environments – The Internet.”
“We require our SDL training to emphasize the basics of secure design, development and test – then allow employees and their management to select the training that meets the needs of their particular product or service.  There is one other point that bears mentioning – our training is constantly being reviewed or embellished to make sure that emerging security or privacy issues are being addressed. ”
“If your engineers know nothing about the basic security tenets, common security defect types, basic secure design, or security testing, there really is no reasonable chance they could produce secure software. I say this because, on the average, software engineers don’t pay enough attention to security. They may know quite a lot about security features, but they need to have a better understanding of what it takes to build and deliver secure features. It’s unfortunate that the term security can imply both meanings, because these are two very different security realms. Security features looks at how stuff works, for example the inner operations of the Java or common language runtime (CLR) sandbox, or how encryption algorithms such as DES or RSA work. While these are all interesting and useful topics, knowing that the DES encryption algorithm is a 16-round Feistel network isn’t going to help people build more secure software. Knowing the limitations of DES, and the fact that its key size is woefully small for today’s threats, is very useful, and this kind of detail is the core tenet of how to build secure features.

“The real concern is that most schools, universities, and technical colleges teach security features, and not how to build secure software. This means there are legions of software engineers being churned out by these schools year after year who believe they know how to build secure software because they know how a firewall works. In short, you cannot rely on anyone you hire necessarily understanding how to build security defenses into your software unless you specifically ask about their background and knowledge on the subject.”
(a) “But is it important to note that an education program is critical to the success of the SDL. New college and university graduates in computer science and related disciplines generally lack the training necessary to join the workforce ready and able to design, develop, or test secure software. Even those who have completed course work in security are more likely to have encountered cryptographic algorithms or access control models than buffer overruns or canonicalization flaws. In general, software designers, engineers and testers from industry also lack appropriate security skills.

“Under those circumstances, an organization that seeks to develop secure software must take responsibility for ensuring that its engineering population is appropriately educated. Specific ways of meeting this challenge will vary depending on the size of the organization and the resources available. An organization with a large engineering population may be able to commit to building an in-house program to deliver ongoing security training to its engineers, while a smaller organization may need to rely on external training. At Microsoft, all personnel involved in developing software must go through yearly “security refresher” training.”

(b) “One key aspect of the security pushes of early 2002 was product group team-wide training for all developers, testers, program managers, and documentation personnel. Microsoft has formalized a requirement for annual security education for engineers in organizations whose software is subject to the SDL. The need for an annual update is driven by the fact that security is not a static domain: threats, attacks and defenses evolve. As a result, even engineers who have been fully competent and qualified on the aspects of security that affect their software must have additional training as the threat landscape changes. For example, the importance of integer overflow vulnerabilities has increased dramatically in the last four years, and it has been demonstrated recently that some cryptographic algorithms have previously unrecognized vulnerabilities.

“Microsoft has developed a common introduction and update on security that is presented to engineers in both “live training” and digital media form. Microsoft has used this course as the basis for specialized training by software technology and by engineer role. Microsoft is in the process of building a security education curriculum that will feature further specialization by technology, role, and level of student experience.”
“Hopefully, you realize that reviewing other people’s code, while a good thing to do, is not how you create secure software. You produce secure software by having a process to design, write, test, and document secure systems, and by building time into the schedule to allow for security review, training, and use of tools. Simply designing, writing, testing, and documenting a project, and then looking for security bugs doesn’t create secure software. Code reviewing is just one part of the process, but by itself does not create secure code.”

The Security Development Lifecycle Chapter 5

“If your engineers know nothing about basic security tenets, common security bug types, basic secure design, or security testing, there really is no reasonable chance that they will produce secure software. We say this because, on average, software engineers know very little about software security. By security, we don’t mean understanding security features; we mean understanding what it takes to build and deliver secure features.”

Free XML tools? Trying to find a WYSIWYG editor for XML, XSLT – how hard can it be?

I’ve been using Microsoft’s Threat Analysis and Modeling tool (more on my experiences later), and one of the things I’ve determined is that I need an XML/XSLT editing/authoring tool to help me wade through all the information that’s buried in the threat model documents it generates (which is all written in well-formatted XML).

I’ve spent a few weeks trying desperately to find one tool that would allow me to do the following:

  • Get a quick overview of the XML without exposing me to all the raw code
  • Explore the hierarchy of XML in a treeview
  • Allow me to automatically collapse or hide certain elements and branches of the XML so that I can skip e.g. the GUID element in every object
  • Allow me to drag & drop XML elements around the document (or at least easy-to-use cut and paste)
  • Allow me to browse a self-describing set of the XML tags that are available to use in this document e.g. explore the document’s schema in tree form; collate a list of the XSL tags already in use in the document (not just all those potential tags supported in XSL 1.0 or 2.0)

A few abandonware tools that are mentioned all over the ‘Net, but which are no longer options:

  • ActiveState Visual XSLT: ActiveState delisted this years ago, and I cannot find a copy anywhere on the ‘Net for the life of me
  • Altova XMLSpy 2004 Home Edition: still available for download from Altova’s software archive, but they have removed all traces of the License keys that could be obtained for free
  • IBM XSL Editor: now part of some Websphere server-side engine

Some freeware apps I’ve found:

  • XMLmind Personal Edition: java-based GUI editor.  Provides collapsible tree view of document contents, inline editor for element text (hiding all the nasty tag content and code), and Provides downloadable add-ons to enable editing documents based on many different DTDs.
  • Microsoft XML Notepad 2007: horrible UI, but at least it abstracts away some of the complexity of XML…
  • Notepad++: does a good job of highlighting XML syntax and allowing you to collapse element branches, but doesn’t help my primary problem, which is…
  • XML Cooktop: XML syntax highlighting, processing XML with XSLTs and viewing the results
  • Butterfly XML: decent hierarchical view (and in my personal opinion, it beats out XML Notepad 2007), doesn’t scare off the user with tagged code, but no cut & paste capability (just add or delete).
  • Xerlin: Java-based XML editor
  • Vex: a “visual” XML editor 
  • Jaxe
  • XML Workbench

Visual Studio 2005 has some XML capabilities, but strangely nowhere near the level of “friendliness” that I’ve come to expect from this IDE:

  • It’ll open XML & XSLT just fine, perform the usual syntax highlighting, and even autocomplete any code that I try to add.
  • However, it just shows me the “raw code” – I can’t find any way to “hide” the code and just browse through this file in a more compact, abstract, more user-friendly way.
  • You know how you can switch between Design Mode and Code in VS2005 (e.g. creating a WinForms app)?  Or how FrontPage used to allow you to do the same thing?  That’s what I want.
  • Then I can learn some of the basics of what the code is doing by association, but in the meantime I can “get something done” without having to spend 15-20 hours learning about XML & XSLT syntax, language operators and all this minutia.
  • It’d be really cool if there was some sort of Object Browser tree view of the XSD (XML schema) or a “Toolbox” like collection of the kinds of code objects that I could add (that wouldn’t scare me off as much as raw code in unknown languages does).
  • Finally, I haven’t found any freebie XML-editing add-ons for VS2005.  [Other than the Visual XSLT from ActiveState that appears to have disappeared from existence.]
  • The next version of Visual Studio (“Orcas”) promises some improvements in dealing with XML & XSLT, but nothing earth shattering (at least not for my needs)

Actually, one of the best tools I’ve tried is another commercial app that I would never have expected to make “browsing and editing XML” as visual and flexible as it does: MindManager.

  • MindManager’s native document format is a compound XML document, and it’s able to open and save in unmolested XML format.
  • If you open an XML document, it’ll treat elements as Topics and element text as Callouts, making it easy to cut & paste or drag & drop elements from one part of the hierarchy (which looks like a tree with branches) to another.
  • It’s very slick, looks very simple but has all sorts of extensible power behind it.

And then there’s a raft of commercial apps that might do the trick, but which cost way more $$ than I have budget for:

  • Altova XMLSpy: For my purposes, this is no better than Visual Studio (even though it’s *loaded* with lots of additional features that I’m sure every XML goon would love).
  • Altova StyleVision: wow, how *un*suitable is that?  It doesn’t even open XSLT files – it only uses its own proprietary format, and while it seems to have lots of different ways to look at the content of the style sheet you’re working on, none of it seemed intuitive or familiar.  Probably makes more sense to someone who’s been using Altova tools for a while.
  • Stylus Studio XML: I like the visual XSLT mapper, the XSLT “backmapper”, their Sense:X feature, their ability to drag-and-drop from source XML to the XSLT (with intelligent handling of the resulting object), and their WYSIWYG XSLT designer (“You Design the HTML; Stylus Studio Writes the XSLT”)!!  Man, with all this going for it, I’m going to at *least* spend a few days with the eval version. 🙂


Surprised?  I was.  MindManager and Stylus Studio XML were *not* on the short list – they’ve (a) never been mentioned by anyone I talked to who had any familiarity with XML, and (b) if you’d asked me about any tools that have XML editing capabilities I’d never have been able to come up with these.


Sidebar: Lemme just mea culpa for a sec – it’s not that I can’t code (I taught myself VB.NET from scratch), but it seems horribly inefficient to try to edit existing XSLT documents only after I have to learn every little aspect of XSLT and XML syntax.  Doesn’t it?

Questions from a VB.NET amateur on the occasion of my first C# project…

  • Why doesn’t Visual Studio auto-generate the {} when I add an “if (true)” statement/a “foreach ()” statement/a “try” block and hit [Enter]?
  • Why doesn’t Visual Studio automatically clean up the indenting of my code, comments, etc. when I add/remove the { } braces or other things that would affect the layout of the existing code?
  • If these damned curly braces and brackets are so damned important, why aren’t they filled in automatically every chance we get?’
  • Why won’t Visual Studio automatically format the trailing */ characters when I hit Enter (which gives me the next * character + a space) and I type the / character?  VS should be able to handle auto-formatting as simple as that.

News (?): Americans willing to pay (a little) more for privacy

I don’t know if I should be surprised at this or smug – right now I’m leaning towards pleasantly surprised.  I guess I’m surprised that (at least according to this study’s methodology) there isn’t more of a price differential for good privacy but hey, I can certainly understand people being a little skeptical that any privacy can be protected in this day and age.

They found that people will, in fact, pay more to purchase from sites with a solid privacy policy, but only if that policy is easy to see and understand.

For those of you developing products and who wonder whether it’s worth the effort to spend time on “privacy issues”, take heart:

It could also be good news for retailers, who can use robust privacy policies as a selling point…

See the full article here: Americans willing to pay (a little) more for privacy

Patenting security patches? Slimy, greedy, sad

Ugh.  As in ug-ly.  This is get-rich-“quick” parasitism at its finest.  I really wish bottom-feeders like this would find a way to use their obviously-untapped energies to contribute something constructive to the economy, society or culture.

How does it work?  “…a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You’ll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff.”

And how will they get around the lengthy patent application process?  “The company says that it may try to use a Petition to Make Special in order to speed up the examination process when filing a U.S. patent. Another strategy the firm proposes using is to go after a utility model rather than a patent-a utility model being similar to a patent but easier to obtain and of shorter duration-typically six to 10 years.”

“In most countries where utility model protection is available, patent offices do not examine applications as to substance prior to registration,” the company says. “This means that the registration process is often significantly simpler, cheaper and faster. The requirements for acquiring a utility model are less stringent than for patents.”

Patents and copyright in their current form have outlived their usefulness.  I can’t remember the last time I read a story about a “little guy” who actually benefited from the patent or copyright protections for whom they were originally meant.  Now it all seems to be about providing a stable base of income for multinationals to leverage when they can no longer actually contribute something genuinely new and useful to the planet.

Encrypting %TEMP% with EFS: software installation concerns

One of the biggest bones of contention in the use of EFS is whether to encrypt the user’s %TEMP% folder or not.  It starts off pretty innocuously: many applications create temporary files in the user’s %TEMP% directory, and often these files can contain the same sensitive data that is contained in the original data files the users are opening.  That means the %TEMP% folder should be encrypted, right?

Microsoft originally recommended that %TEMP% be encrypted when using EFS.  Then reports of application compatibility issues came in, which created new “don’t encrypt %TEMP%” advice which has lingered long after those issues have been a real issue for most customers.  And yet there’s still varying opinions on this (e.g. here and here).

However, there’s one case that continues to dog those of us trying to enforce protection of sensitive data using EFS: software installation.  If I encrypt my %TEMP% folder and then try to install a bunch of applications myself (e.g. download and run the install files through the Windows UI), chances are I’ll find a few applications that either (a) won’t install (e.g. an older version of MSN Messenger had this problem) or (b) won’t work correctly after install (see this KB article for example).

While at Microsoft, I doggedly reported these app compat issues every time I ran into one, getting them fixed one by one (at least in MS apps).  Then I heard that the Windows Installer team had implemented a fix around the time that Vista shipped, and I figured we’d finally licked the problem.

However, there are recently KB articles (here and here) that indicate this is still a problem with Windows Vista and Office 2007.

So here’s one more attempt to clear up the confusion this issue creates, and provide definitive guidance on how to avoid problems with encrypted %TEMP%.  [John Morello got it right in a recent Technet article – but I suspect he may have cribbed this tip from some of the talks I’ve given over the years. ;)]

The only scenario in which installing software could fail due to encrypting the user’s %TEMP% folder is when:

  1. The software is being interactively installed by the user, not by a software distribution package (e.g. SMS, Tivoli, Altiris, etc.).
  2. The installer doesn’t understand EFS.  (e.g. The version of Windows Installer that shipped with Windows Vista knows to decrypt any encrypted folders it creates before handing off to the Windows Installer service running as SYSTEM)
  3. The installer moves (rather than copies) the files that it unpacks into the %TEMP% directory.  (Moving encrypted files to an unencrypted directory will leave the files encrypted
  4. The %TEMP% folder is left encrypted while the install takes place.  (You could distribute software installs with pre- and post-install actions that run simple command-line scripts to decrypt/encrypt the %TEMP% folder  e.g.
         cipher.exe /D %TEMP%
         cipher.exe /E %TEMP%


  • If all software installs are performed by a software distribution system such as SMS, Tivoli, Altiris, then you should be safe encrypting %TEMP%.
  • If your users are on Windows Vista, and
    • If the software being installed is packaged with MSI or other EFS-aware installers, then
    • You should be safe encrypting %TEMP%
  • If your users aren’t on Windows Vista, and
    • If your users install software themselves (e.g. download and run MSI install files), and
      • You can’t edit the install packages for the software that your users need to install, then
      • You should not encrypt %TEMP%.

Hey, in the long term I hope this issue gets buried once and for all – either EFS will become so ubiquitous that customers will report these issues in droves, and all the installer ISVs will finally fix their apps (including backports to earlier versions of Windows).  Or, EFS will be supplanted by some future implementation of ubiquitous encryption, making the need for file-based encryption a moot point.  [I don’t see that in the next few years, but never say never.]

Something broke my CacheMyWork app!

Ever since I joined up with my current employer, I’ve been unable to get consistent results out of my CacheMyWork application. It wasn’t exactly professional quality when I released it, but it did what I wanted nicely on some XP & Vista systems I’d been using.

Since getting my IT-issued notebook, however, I’ve been unable to get the darned thing to work consistently. When I “cache” a half-dozen or more apps, I’ve never yet seen *all* of them start up at my next logon; sometimes I’ve even seen that NONE of them run. And yes, I’m quite certain that the Registry entries are getting successfully created (under HKCU\…\RunOnce) – which means that something is interrupting the execution of these once I’ve logged on.

My suspicions are heavily weighted towards the McAfee suite of security apps, especially AntiSpyware and HIPS (Host Intrusion Prevention Service aka “entercept”). I’ve been trying to figure out how to block their activity, even temporarily (which admittedly is pretty much what I’m sure they were built to withstand), but no luck.

I’ve tried escalating through the IT service desk folks, but they are pretty much lacking in cluefulness – all I get is pointers to a couple of web pages and a vague escalation process (which seems to terminate in “single-app exceptions that *might* be added to the configuration). I need to be able to unblock whatever it is that’s intercepting CreateProcess (presumably) by the shell when it’s iterating through the HKCU\…\RunOnce values – the whole point of my app is to let me restart *any* user app, so one-by-one exception allowances is hardly an efficient solution.

I’ll keep digging, but if anyone has ever seen this kind of behaviour and/or has any pearls of wisdom on how to log/troubleshoot RunOnce activity, I’d sure appreciate a nice smack upside the head. [figuratively speaking – I’ll provide other rewards for anyone that actually helps me make progress…]