Asked and Answered: More Secure .NET Development
Dinis Cruz spends a lot of time worrying about .NET security. The well-known
security consultant and trainer is chief security evangelist of the
Open
Web Application Security Project (OWASP), which aims to improve software
security.
RDN contributor John Waters caught up with Cruz at a recent industry
event. You can read more about this in the Nov. 15 issue of Redmond Developer
News magazine.
RDN: In a nutshell, what's your biggest security concern?
Cruz: We're not putting enough resources and investment into sandboxing
technology. The consequence is that developers aren't taking sandboxing seriously
anymore.
In ASP.NET, the "sandbox" is called Code Access Security.
Yes, both .NET and Java allow for the creation of a sandbox, which can be enabled
and disabled. The problem is, everyone disables it. I think that about 99 percent
of the code out there runs with Full Trust with no sandbox -- and I think I'm
being generous with that 1 percent.
Your favorite conference demo seems to be something you call "rooting
the CLR." What is that?
This is one way to expose the dangers of Full Trust ASP.NET code. I show how,
with Full Trust, I can load some .NET code and change the framework behavior.
If this is such a problem, why aren't Microsoft and Sun doing something
about it?
I've argued with Microsoft quite a lot about this, and they always listen and
they usually agree with me. But their clients aren't demanding it, and the developers
don't like putting in all the extra work that it takes to safely contain malicious
code, or benign code that could be executed in a malicious way. So, not much
gets done.
I've read that you're interested in getting developers to go beyond their
comfort zone when it comes to security. Is this a developer problem?
I don't believe that it's the fault of the developer. I think they're too often
used as the scapegoats in all this. Remember that they are paid for features
and speed, not security. In fact, it doesn't make business sense to write secure
code today. Unless it's something really obvious, the users can't evaluate the
security of an application. If you're really on the firing line, as many of
Microsoft's products are, then you do a bit of work on that. But in most cases,
if the attackers aren't exploiting it, the companies don't feel the need to
code securely.
Cruz is deeply concerned that dev shops aren't doing more to isolate their
code. Does he have a point? What would it take for your company to make secure
code a higher priority, and what issues have you run into when trying to improve
code security? E-mail me at mdesmond@reddevnews.com.
Posted by Michael Desmond on 10/24/2007