I’m not impressed by the new version of the Developer Highway Code from Microsoft. There’s no denying the fact that it’s all good, sound, common sense guidance but I’m wondering for who, and also who Microsoft expect to actually read it.
Let’s take Module 2 on “Security Objectives.” We all know that defining security objectives is essential however, I’m not certain that I want the developers to take responsibility for doing this. What I want from them is the ability to write a secure application that meets stated objectives where those have been defined by individuals who understand the business and the impact that security weaknesses might have. So telling a developer that security “objectives and requirements should be defined early in the application development process” is fair enough but you’re telling the wrong person.
Then in Module 3, the developers will close the book and go home as soon as they read about the need to design a “pattern-based information model that defines a set of security related categories specifically for the application type you are designing.” So, in fact the rest of the chapters are wasted words because nobody in the target audience is going to get past this section.
And that’s no bad thing because the rest of the guide is a “cookbook” type set of checklists that simply have no real place in the real word. They’ve been written to be as generic as possible and as such can be taken as being “best practice” guidelines, but I’m unconvinced that any development team will ever make such a checklist part of their own development process. For instance, at which point in the process is our developer supposed to put a tick against the item “The design addresses the required scalability and performance criteria” ? I’ll answer that – he never will because he’ll be stuck for a month on the first checklist item “The design identifies, understands and accommodates the company security policy” trying to find out what and where this is.
I have been working for the best part of the last five years trying to get development teams to understand and implement security requirements during the development process. Guides such as this do not work and do not get used. What works is providing good code related resources (such as the excellent “Writing Secure Code” by M. Howard), examples of how to achieve secure coding tasks (using tools such as the excellent HackMe series provided by Foundstone), providing strongly mandated and enforceable standards, training, encouraging peer reviews, performing code reviews, testing, testing and more testing.
Microsoft do provide a plethora of other fine resources that are genuinely useful in this subject area. This book was somebody’s bright idea but clearly not bright enough for them to believe anyone will buy it because it’s available free from Microsoft here: http://msdn2.microsoft.com/en-gb/security/aa473878.aspx