Copyright©2003byMicrosoftCorporation
PUBLISHEDBY
MicrosoftPress
ADivisionofMicrosoftCorporation
OneMicrosoftWay
Redmond,Washington98052-6399
Copyright©2003byMicrosoftCorporation
Allrightsreserved.Nopartofthecontentsofthisbookmaybereproduced
byanymeanswithoutthewrittenpermissionofthepublisher.
LibraryofCongressCataloging-in-PublicationData
Howard,Michael,1965WritingSecureCode/MichaelHoward,DavidLeBlanc.--2nded.
p.cm.
Includesindex.
ISBN0-7356-1722-8
1.Computersecurity.2.Dataencryption(Computerscience).I.LeBlan
II.Title.
QA76.9.A25H6982002b
005.8--dc212002035986
PrintedandboundintheUnitedStatesofAmerica.
123456789QWT876543
DistributedinCanadabyH.B.FennandCompanyLtd.
ACIPcataloguerecordforthisbookisavailablefromtheBritishLibrary.
MicrosoftPressbooksareavailablethroughbooksellersanddistributorswo
aboutinternationaleditions,contactyourlocalMicrosoftCorporationoffice
PressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatww
commentsto
ActiveDirectory,ActiveX,Authenticode,Hotmail,JScript,Microsoft,Microso
VisualBasic,VisualC++,VisualStudio,Win32,Windows,andWindowsNT
trademarksortrademarksofMicrosoftCorporationintheUnitedStatesan
productandcompanynamesmentionedhereinmaybethetrademarksof
Theexamplecompanies,organizations,products,domainnames,e-maila
places,andeventsdepictedhereinarefictitious.Noassociationwithanyre
product,domainname,e-mailaddress,logo,person,place,oreventisinte
inferred.
AcquisitionsEditor:DanielleBird
ProjectEditor:DevonMusgrave
TechnicalEditor:BrianJohnson
BodyPartNo.X08-92500
ForCherylandBlake,thetwomostbeautifulpeopleIknow.
—Michael
ToJennifer,forputtingupwithstillmorelostweekendswhenweshouldhave
beenoutridingtogether.
—David
Introduction
DuringFebruaryandMarchof2002,allnormalfeatureworkonMicrosoft
Windowsstopped.Throughoutthisperiod,theentiredevelopmentteamturned
itsattentiontoimprovingthesecurityofthenextversionoftheproduct,
Windows.NETServer2003.ThegoaloftheWindowsSecurityPush,asit
becameknown,wastoeducatetheentireteamaboutthelatestsecurecoding
techniques,tofinddesignandcodeflaws,andtoimprovetestcodeand
documentation.Thefirsteditionofthisbookwasrequiredreadingbyall
membersoftheWindowsteamduringthepush,andthissecondedition
documentsmanyofthefindingsfromthatpushandsubsequentsecuritypushes
forotherMicrosoftproducts,includingSQLServer,Office,Exchange,Systems
ManagementServer,VisualStudio.NET,the.NETcommonlanguageruntime,
andmanyothers.
TheimpetusfortheWindowsSecurityPush(andmanyoftheothersecurity
pushes)wasBillGates's“TrustworthyComputing”memoofJanuary15,2002,
whichoutlinedahigh-levelstrategytodeliveranewbreedofcomputersystems,
systemsthataremoresecureandavailable.Sincethememo,bothofushave
spokentoorworkedwiththousandsofdeveloperswithinandoutsideMicrosoft,
andthey'vealltoldusthesamething:“Wewanttodotherightthing—wewant
tobuildsecuresoftware—butwedon'tknowenoughyet.”Thatdesireand
uncertaintydirectlyrelatestothisbook'spurpose:toteachpeoplethingsthey
werenevertaughtinschool—howtodesign,build,test,anddocumentsecure
software.Bysecuresoftware,wedon'tmeansecuritycodeorcodethat
implementssecurityfeatures.Wemeancodethatisdesignedtowithstandattack
bymaliciousattackers.Securecodeisalsorobustcode.
Ourgoalforthisbookistoberelentlesslypractical.Asideeffectistomakeyou
understandthatyourcodewillbeattacked.Wecan'tbemoreblunt,soletussay
itagain.Ifyoucreateanapplicationthatrunsononeormorecomputers
connectedtoanetworkorthebiggestnetworkofthemall,theInternet,your
codewillbeattacked.
Theconsequencesofcompromisedsystemsaremanyandvaried,includingloss
ofproduction,lossofcustomerfaith,andlossofmoney.Forexample,ifan
attackercancompromiseyourapplication,suchasbymakingitunavailable,
yourclientsmightgoelsewhere.Mostpeoplehavealowwait-timethreshold
whenusingInternet-basedservices.Iftheserviceisnotavailable,manywilltake
theirpatronageandmoneytoyourcompetitors.
Therealproblemwithnumeroussoftwaredevelopmenthousesisthatsecurityis
notseenasarevenue-generatingfunctionofthedevelopmentprocess.Because
ofthis,managementdoesnotwanttospendmoneytrainingdeveloperstowrite
securecode.Managementdoesspendmoneyonsecuritytechnologies,butthat's
usuallyafterasuccessfulattack!Andatthatpoint,it'stoolate—thedamagehas
beendone.Fixingapplicationspost-attackisexpensive,bothfinanciallyandin
termsofyourreputation.
Protectingpropertyfromtheftandattackhasbeenatime-provenpractice.Our
earliestancestorshadlawspunishingthosewhochosetosteal,damage,or
trespassonpropertyownedbycitizens.Simply,peopleunderstandthatcertain
chattelsandpropertyareprivateandshouldstaythatway.Thesameethicsapply
tothedigitalworld,andthereforepartofourjobasdevelopersistocreate
applicationsandsolutionsthatprotectdigitalassets.
You'llnoticethatthisbookcoverssomeofthefundamentalissuesthatshouldbe
coveredinschoolwhendesigningandbuildingsecuresystemsisthesubject.
Youmightbethinkingthatdesigningistherealmofthearchitectorprogram
manager,anditis,butasdevelopersandtestersyouneedtoalsounderstandthe
processesinvolvedinoutliningsystemsdesignedtowithstandattack.
Weknowsoftwarewillalwayshavevulnerabilities,regardlessofhowmuch
timeandeffortyouspendtryingtodevelopsecuresoftware,simplybecauseyou
cannotpredictfuturesecurityresearch.WeknowthisistrueofMicrosoft
Windows.NETServer2003,butwealsoknowyoucanreducetheoverall
numberofvulnerabilitiesandmakeitsubstantiallyhardertofindandexploit
vulnerabilitiesinyourcodebyfollowingtheadviceinthisbook.
WhoShouldReadThisBook
Ifyoudesignapplications,orifyoubuild,test,ordocumentsolutions,youneed
thisbook.IfyourapplicationsareWeb-basedorWin32-based,youneedthis
book.Finally,ifyouarecurrentlylearningorbuildingMicrosoft.NET
Framework–basedapplications,youneedthisbook.Inshort,ifyouareinvolved
inbuildingapplications,youwillfindmuchtolearninthisbook.
Evenifyou'rewritingcodethatdoesn'trunonaMicrosoftplatform,muchofthe
materialinthisbookisstilluseful.Exceptforafewchaptersthatareentirely
Microsoft-specific,thesametypesofproblemstendtooccurregardlessof
platform.EvenwhensomethingmightseemtobeapplicableonlytoWindows,it
oftenhasbroaderapplication.Forexample,anEveryoneFullControlaccess
controllistandafilesettoWorldWritableonaUNIXsystemarereallythe
sameproblem,andcross-sitescriptingissuesareuniversal.
OrganizationofThisBook
Thebookisdividedintofiveparts.Chapters1through4makeupPartI,
“ContemporarySecurity,”andoutlinethereasonswhysystemsshouldbe
securedfromattackandguidelinesandanalysistechniquesfordesigningsuch
systems.
ThemeatofthebookisinPartsIIandIII.PartII,“SecureCodingTechniques,”
encompassingChapters5through14,outlinescriticalcodingtechniquesthat
applytoalmostanyapplication.PartIII,“EvenMoreSecureCoding
Techniques,”includesfourchapters(Chapters15through18)thatfocuson
networkedapplicationsand.NETcode.
PartIV,“SpecialTopics,”includessixchapters(Chapters19through24)that
coverless-often-discussedsubjects,suchastesting,performingsecuritycode
reviews,privacy,andsecuresoftwareinstallation.Chapter23includesgeneral
guidelinesthatdon'tfitinanysinglechapter.
PartV,“Appendixes,”includesfiveappendixescoveringdangerousAPIs,
ridiculousexcuseswe'veheardfornotconsideringsecurity,andsecurity
checklistsfordesigners,developersandtesters.
Unliketheauthorsofagoodmanyothersecuritybooks,wewon'tjusttellyou
howinsecureapplicationsareandmoanaboutpeoplenotwantingtobuild
securesystems.Thisbookisutterlypragmaticand,again,relentlesslypractical.
Itexplainshowsystemscanbeattacked,mistakesthatareoftenmade,and,most
important,howtobuildsecuresystems.(Bytheway,lookformarginicons,
whichindicatesecurity-relatedanecdotes.)
InstallingandUsingtheSampleFiles
Youcandownloadthesamplefilesfromthebook'sCompanionContentpageon
theWebbyconnectingto />Toaccessthesamplefiles,clickCompanionContentintheMoreInformation
menuboxontherightsideofthepage.ThiswillloadtheCompanionContent
Webpage,whichincludesalinkfordownloadingthesamplefilesand
connectingtoMicrosoftPressSupport.Thedownloadlinkopensanexecutable
filecontainingalicenseagreement.Tocopythesamplefilesontoyourharddisk,
clickthelinktoruntheexecutableandthenacceptthelicenseagreementthatis
presented.Bydefault,thesamplefileswillbecopiedtotheMy
Documents\MicrosoftPress\Secureco2folder.Duringtheinstallationprocess,
you'llbegiventheoptionofchangingthatdestinationfolder.
SystemRequirements
MostsamplesinthisbookarewritteninCorC++andrequireMicrosoftVisual
Studio.NET,althoughmostofthesampleswritteninC/C++workfinewith
mostcompilers,includingMicrosoftVisualC++6.0.ThePerlexampleshave
beentestedusingActiveStatePerl5.6orActivateStateVisualPerl1.0from
.MicrosoftVisualBasicScriptingEditionandJScript
codewastestedwithWindowsScriptingHostincludedwithWindows2000and
later.AllSQLexamplesweretestedusingMicrosoftSQLServer2000.Finally,
VisualBasic.NETandVisualC#applicationswerewrittenandtestedusing
VisualStudio.NET.
Alltheapplicationsbuttwointhisbookwillrunoncomputersrunning
Windows2000thatmeetrecommendedoperatingsystemrequirements.The
SafersampleinChapter7andtheUTF8MultiByteToWideCharsamplein
Chapter11requireWindowsXPorWindows.NETServertoruncorrectly.
Compilingthecoderequiressomewhatbeefiermachinesthatcomplywiththe
requirementsofthecompilerbeingused.
SupportInformation
Everyefforthasbeenmadetoensuretheaccuracyofthisbookandthecompanioncontent.MicrosoftPressprovidescorrectionsforbooksthroughthe
WorldWideWebatToconnect
directlytotheMicrosoftPressKnowledgeBaseandenteraqueryregardinga
questionorissuethatyouhave,goto
/>
Acknowledgments
Whenyoulookatthecoverofthisbook,youseethenamesofonlytwoauthors,
butthisbookwouldbenothingifwedidn'tgethelpandinputfromnumerous
people.Wepesteredsomepeopleuntiltheyweresickofus,butstilltheywere
onlytoohappytohelp.
First,we'dliketothanktheMicrosoftPressfolks,includingDanielleBirdfor
agreeingtotakeonthissecondedition,DevonMusgraveforturningour“prose”
intoEnglishandgivingusgrammarlessons,andBrianJohnsonformakingsure
wewerenotlying.MuchthanksalsotoKerriDeVaultforlayingoutthepages
andRobNanceforthepartopenerandotherart.
Manypeopleansweredquestionstohelpmakethisbookasaccurateaspossible,
includingthefollowingfromMicrosoft:SajiAbraham,ÜmitAkku,DougBayer,
TinaBird,MikeBlaszczak,GrantBolitho,ChristopherBrumme,NeillClift,
DavidCross,ScottCulp,MikeDanseglio,BhaveshDoshi,RamseyDow,Werner
Dreyer,KedarDubhashi,PatrickDussud,VadimEydelman,ScottField,Cyrus
Gray,BrianGrunkemeyer,CaglarGunyakti,RonJacobs,JesperJohansson,
WillisJohnson,LorenKohnfelder,SergeyKuzin,MikeLai,BruceLeban,YungShin“Bala”Lin,SteveLipner,EricLippert,MattLyons,ErikOlson,Dave
Quick,ArtShelest,DanielSie,FrankSwiderski,MattThomlinson,Chris
Walker,LandyWang,JonathanWilkins,andMarkZbikowski.
WealsowanttothanktheentireWindowsdivisionforcomments,nitpicks,and
improvements—therearetoomanyofyoutolistyouindividually!
Somepeopledeservespecialrecognitionbecausetheyprovidedcopiousmaterial
forthisbook,muchofwhichwascreatedduringtheirrespectiveproducts'
securitypushes.BrandonBrayandRaymondFowkessuppliedmuchbuffer
overrunhelpandmaterial.DaveRoss,TomGallagher,andRichieLaiarethree
oftheforemostexpertsonWeb-basedsecurityissues,especiallythecross-site
scriptingmaterial.JohnMcConnell,MohammedEl-Gammal,andJulieBennett
createdthecoreoftheinternationalizationchapterandwereadelighttowork
with.Thesecure.NETcodechapterwouldbeaskeletonifitwerenotforthe
helpofferedbyErikOlsonandIvanMedvedev;Ivan'sideaof“CASinpictures”
deservesspecialrecognition.AdrianOneyandPeterViscarolaofOpenSystems
Resources,Inc.wrotethecoreofthedeviceandkernelmodebestpracticesata
moment'snotice.J.C.Cannontookituponhimselftowritetheprivacychapter.
Finally,KenJones,ToddStedl,DavidWright,RichardCarey,andEverett
McKaywrotevastamountsofmaterialthatledtothedocumentationchapter.
Thechapteronconductingsecuritycodereviewsbenefitedfrominsightful
feedbackandreferencesprovidedbyRamseyDowandaPowerPoint
presentationbyNeillClift.VadimEydelmanprovidedadetailedanalysisofthe
potentialproblemswithusingSO_EXCLUSIVEADDRandsolutionsthatwent
intoboththisbookandaMicrosoftKnowledgeBasearticle.Youreagernessto
providesuchrichandvastmaterialisashumblingasitisencouraging.
Thefollowingpeopleprovidedinputforthefirstedition,andwe'restillthankful
fortheirhelp:EliAllen,JohnBiccum,ThomasDeml,MonicaEne-Pietrosanu,
SeanFinnegan,TimFleehart,DamianHaase,DavidHubbard,LouisLafreniere,
BrianLaMacchia,JohnLambert,LawrenceLandauer,PaulLeach,TerryLeeper,
RuiMaximo,DarylPecelj,JonPincus,RainForestPuppy,FritzSands,Eric
Schultze,AlexStockton,HankVoight,RichardWard,RichardWaymire,and
MarkZhou.
ManyoutsideMicrosoftgavetheirtimetohelpuswiththisbook.We'dliketo
giveourgreatestthankstoPeterGutmann(it'sanurbanmyth,Peter!),Steve
HayrofAccenture,ChristopherW.KlausofInternetSecuritySystems,John
PescatoreofGartnerInc.,HerbertH.ThompsonandJamesA.Whittakerof
FloridaTech,andfinally,Chris“WeldPond”Wysopalof@Stake.
Mostimportantly,wewanttothankeveryoneatMicrosoftfortakingupthe
TrusthworthyComputingrallyingcrywithsuchpassionandurgency.Wethank
youall.
PartI
ContemporarySecurity
Chapter1
TheNeedforSecureSystems
Asecureproduct:aproductthatprotectstheconfidentiality,integrity,
andavailabilityofthecustomers'information,andtheintegrityand
availabilityofprocessingresources,undercontrolofthesystem'sowner
oradministrator.
Asecurityvulnerability:aflawinaproductthatmakesitinfeasible—
evenwhenusingtheproductproperly—topreventanattackerfrom
usurpingprivilegesontheuser'ssystem,regulatingitsoperation,
compromisingdataonit,orassumingungrantedtrust.
Source:Microsoft.com
AstheInternetgrowsinimportance,applicationsarebecominghighly
interconnected.Inthe“goodolddays,”computerswereusuallyislandsof
functionality,withlittle,ifany,interconnectivity.Inthosedays,itdidn'tmatterif
yourapplicationwasinsecure—theworstyoucoulddowasattackyourself—and
solongasanapplicationperformeditstasksuccessfully,mostpeopledidn'tcare
aboutsecurity.Thisparadigmisevidentinmanyoftheclassicbestpractices
bookspublishedintheearly1990s.Forexample,theexcellentCodeComplete
(MicrosoftPress,1993),bySteveMcConnell,makeslittleornoreferenceto
securityinits850pages.Don'tgetmewrong:thisisanexceptionalbookand
onethatshouldbeoneverydeveloper'sbookshelf.Justdon'trefertoitfor
securityinspiration.
Timeshavechanged.IntheInternetera,virtuallyallcomputers—servers,
desktoppersonalcomputers,and,morerecently,cellphones,pocket-size
devices,andotherformfactordevicessuchastheAutoPCandembedded
systems—areinterconnected.Althoughthiscreatesincredibleopportunitiesfor
softwaredevelopersandbusinesses,italsomeansthattheseinterconnected
computerscanbeattacked.Forexample,applicationsnotdesignedtorunin
highlyconnected(andthuspotentiallyharsh)environmentsoftenrender
computersystemssusceptibletoattackbecausetheapplicationdevelopers
simplydidn'tplanfortheapplicationstobenetworkedandaccessibleby
maliciousassailants.EverwonderwhytheWorldWideWebisoftenreferredto
astheWildWildWeb?Inthischapter,you'llfindout.TheInternetisahostile
environment,soyoumustdesignallcodetowithstandattack.
I'mNotCryingWolf
OnFridaythe13th,July2001,,theWebsite
operatedbytheSANS(SystemAdministration,Networking,and
Security)Institutewasdefaced.Thefollowingweek,SANSsentanemailtoallsubscribersoftheirSANSNewsByteswiththefollowing
commentary:
Thishasbeenastartlingreminderofjusthowdevastatingan
Internetattackcanbe.Everysingleprogramandsettinghastobe
reviewedand,inmanycases,redesignedsothattheycansafely
operate,notjustintoday'sattacks,butalsointhefaceofthe
threatlevelwewillexperiencetwoyearsdowntheroad.Some
servicesmaynotbeavailablefordays.
TheInternetisindeedahostileenvironment.Youcanreadmoreabout
thedefacementat />
IMPORTANTNeverassumethatyourapplicationwillberuninonlya
fewgivenenvironments.Chancesaregooditwillbeusedinsome
other,asyetundefined,setting.Assumeinsteadthatyourcodewillrun
inthemosthostileofenvironments,anddesign,write,andtestyour
codeaccordingly.
It'salsoimportanttorememberthatsecuresystemsarequalitysystems.Code
designedandbuiltwithsecurityasaprimefeatureismorerobustthancode
writtenwithsecurityasanafterthought.Secureproductsarealsomoreimmune
tomediacriticism,moreattractivetousers,andlessexpensivetofixand
support.Becauseyoucannothavequalitywithoutsecurity,youmustusetactor,
inrarecases,subversiontogeteveryoneonyourteamtobethinkingabout
security.I'lldiscussalltheseissuesinthischapter,andI'llalsogiveyousome
methodsforhelpingtoensurethatsecurityisamongthetopprioritiesinyour
organization.
Ifyoucareaboutqualitycode,readon.
ApplicationsontheWildWildWeb
OnanumberofoccasionsI'vesetupacomputerontheInternetjusttoseewhat
happenstoit.Usually,inamatterofdays,thecomputerisdiscovered,probed,
andattacked.Suchcomputersareoftencalledhoneypots.Ahoneypotisa
computersetuptoattracthackerssothatyoucanseehowthehackersoperate.
MoreInfoTolearnmoreabouthoneypotsandhowhackersbreakinto
systems,takealookattheHoneynetProjectatproject.honeynet.org.
Ialsosawthisprocessofdiscoveryandattackinmid-1999whenworkingonthe
Website,asitenolongerfunctionalbutused
atthetimetobattle-testMicrosoftWindows2000beforeitshippedtousers.We
silentlyslippedtheWebserverontotheInternetonaFriday,andbyMondayit
wasundermassiveattack.Yetwe'dnottoldanyoneitwasthere.
Thepointismade:attackshappen.Tomakemattersworse,attackerscurrently
havetheupperhandinthisongoingbattle.I'llexplainsomeofthereasonsfor
thisin“TheAttacker'sAdvantageandtheDefender'sDilemma”laterinthis
chapter.
Someattackersarehighlyskilledandveryclever.Theyhavedeepcomputer
knowledgeandampletimeontheirhands.Theyhavethetimeandenergyto
probeandanalyzecomputerapplicationsforsecurityvulnerabilities.Ihavetobe
honestandsaythatIhavegreatrespectforsomeoftheseattackers,especially
thewhite-hats,orgoodguys,manyofwhomIknowpersonally.Thebestwhitehatsworkcloselywithsoftwarevendors,includingMicrosoft,todiscoverand
remedyserioussecurityissuespriortothevendorissuingasecuritybulletin
promptinguserstotakemitigatingaction,suchasapplyingasoftwarefixor
changingasetting.ThisapproachhelpspreventtheInternetcommunityfrom
beingleftdefenselessifthesecurityfaultisfirstdiscoveredbyvandalswho
mountwidespreadattacks.
HowWastheWindows2000TestSiteDiscovered?
Surely,noonewilldiscoveracomputerslippedontotheInternet,right?
Thinkagain.TheWindows2000testsitewasfoundalmost
immediately,andhere'showithappened.(Bytheway,don'tworryif
someoftheconceptsinthissidebarareunfamiliartoyou.Theywillall
beexplainedoverthecourseofthisbook.)Someonewasscanningthe
externalInternetProtocol(IP)addressesownedbyMicrosoft.That
personfoundanewliveIPaddress;obviously,anewcomputerhad
beensetup.Thepersonthenprobedvariousportstoseewhatports
wereopen,anactivitycommonlycalledportscanning.Onesuchopen
portwasport80,theHypertextTransferProtocol(HTTP)serverport.
SothepersonissuedanHTTPHEADrequesttoseewhattheserver
was;itwasanInternetInformationServices5(IIS5)server.However,
IIS5hadnotshippedyet.NextthepersonloadedaWebbrowserand
enteredtheserver'sIPaddress,notingthatitwasatestsitesponsoredby
theWindows2000testteamandthatitsDomainNameSystem(DNS)
namewaswww.windows2000test.com.Finallythepersonpostedanote
on,andwithinafewhourstheserverwasbeing
probedandfloodedwithIP-levelattacks.
Tothink,allwedidwasslipaserverontothe'net!
Manyattackersaresimplyfoolishvandals;theyarecalledscriptkiddies.Script
kiddieshavelittleknowledgeofsecurityandcanattackinsecuresystemsonlyby
usingscriptswrittenbymoreknowledgeableattackerswhofind,document,and
writeexploitcodeforthesecuritybugstheyfind.Anexploit(oftencalleda
sploit)isawayofbreakingintoasystem.
Thisiswherethingscangetsticky.Imaginethatyoushipanapplication,an
attackerdiscoversasecurityvulnerability,andtheattackergoespublicwithan
exploitbeforeyouhaveachancetorectifytheproblem.Nowthescriptkiddies
arehavingafuntimeattackingalltheInternet-basedcomputersrunningyour
application.I'vebeeninthispositionanumberoftimes.It'sahorriblestateof
affairs,notenjoyableintheleast.Peoplerunaroundtogetthefixmade,and
chaosistheorderoftheday.Youarebetteroffnotgettingintothissituationin
thefirstplace,andthatmeansdesigningsecureapplicationsthatareintendedto
withstandattack.
TheargumentI'vejustmadeisselfish.I'velookedatreasonstobuildsecure
systemsfromthesoftwaredeveloper'sperspective.Failuretobuildsystems
securelyleadstomoreworkforyouinthelongrunandabadreputation,which
inturncanleadtothelossofsalesascustomersswitchtoacompetingproduct
perceivedtohavebettersecuritysupport.Nowlet'slookattheviewpointthat
reallymatters:theenduser'sviewpoint!
Yourendusersdemandapplicationsthatworkasadvertisedandthewaythey
expectthemtoeachtimetheylaunchthem.Hackedapplicationsdoneither.Your
applicationsmanipulate,store,and,hopefully,protectconfidentialuserdataand
corporatedata.Yourusersdon'twanttheircreditcardinformationpostedonthe
Internet,theydon'twanttheirmedicaldatahacked,andtheydon'twanttheir
systemsinfectedbyviruses.Thefirsttwoexamplesleadtoprivacyproblemsfor
theuser,andthelatterleadstodowntimeandlossofdata.Itisyourjobtocreate
applicationsthathelpyourusersgetthemostfromtheircomputersystems
withoutfearofdatalossorinvasionofprivacy.Ifyoudon'tbelieveme,askyour
users.
TheNeedforTrustworthyComputing
Trustworthycomputingisnotamarketinggimmick.Itisaseriouspushtoward
greatersecuritywithinMicrosoftandhopefullywithintherestoftheindustry.
Considerthetelephone:intheearlypartofthelastcentury,itwasamiraclethat
phonesworkedatall.Wedidn'tparticularlymindiftheyworkedonlysomeof
thetimeorthatwecouldn'tcallplacesagreatdistanceaway.Peopleevenputup
withinconvenienceslikesharedlines.Itwasjustacoolthingthatyoucould
actuallyspeakwithsomeonewhowasn'tinthesameroomwithyou.Asphone
systemsimproved,peoplebegantousethemmoreoftenintheirdailylives.And
asuseincreased,peoplebegantotaketheirtelephonesforgrantedanddepend
onthemforemergencies.(Onecandrawasimilaranalogywithrespectto
electricity.)Thisisthestandardthatweshouldholdourcomputinginfrastructure
to.Ourcomputersneedtoberunningallthetime,doingthetaskswebought
themtodo;notcrashingbecausesomeonesentanevilpacket,andnotdoingthe
biddingofsomeonewhoisn'tauthorizedtousethesystem.
Weclearlyhavealotofworktodotogetourcomputerstobeconsidered
trustworthy.Therearedifficultproblemsthatneedtobesolved,suchashowto
makeoursystemsself-healing.Securinglargenetworksisaveryinterestingand
non-trivialproblem.It'sourhopethatthisbookwillhelpusallbuildsystemswe
cantrulyconsidertrustworthy.
GettingEveryone'sHeadintheGame
“Securityisatoppriority”needstobeacorporatedictumbecause,aswe've
seen,theneedtoshipsecuresoftwareisgreaterthanever.Yourusersdemand
thatyoubuildsecureapplications—theyseesuchsystemsasaright,nota
privilege.Also,yourcompetitor'ssalesforcewillwhispertoyourpotential
customersthatyourcodeisriskyandunsafe.Sowheredoyoubegininstilling
securityinyourorganization?Thebestplaceisatthetop,whichcanbehard
work.It'sdifficultbecauseyou'llneedtoshowabottom-lineimpacttoyour
company,andsecurityisgenerallyconsideredsomethingthat“getsintheway”
andcostsmoneywhileofferinglittleornofinancialreturn.Sellingtheideaof
buildingsecureproductstomanagementrequirestactandsometimesrequires
subversion.Let'slookateachapproach.
UsingTacttoSellSecuritytotheOrganization
Thefollowingsectionsdescribeargumentsyoucanandshouldusetoshowthat
secureapplicationsaregoodforyourbusiness.Also,alltheseargumentsrelate
tothebottomline.Ignoringthemislikelytohaveanegativeimpactonyour
business'ssuccess.
SecureProductsAreQualityProducts
Thisisasimpleissuetoselltoyoursuperiors.Allyouneedtodoisaskthemif
theycareaboutcreatingqualityproducts.There'sonlyoneanswer:yes!Ifthe
answerisno,findajobelsewhere,somewherewherequalityisvalued.
OK,Iknowit'snotassimpleasthat,becausewe'renottalkingaboutperfect
software.Perfectsoftwareisanoxymoron,justlikeperfectsecurity.(Asisoften
saidinthesecuritycommunity,themostsecuresystemistheonethat'sturned
offandburiedinaconcretebunker,buteventhatisnotperfectsecurity.)We're
talkingaboutsoftwaresecureenoughandgoodenoughfortheenvironmentin
whichitwilloperate.Forexample,youshouldmakeamultiplayergamesecure
fromattack,butyoushouldspendevenmoretimebeefingupthesecurityofan
applicationdesignedtomanipulatesensitivemilitaryintelligenceormedical
records.
Despitethefactthattheneedforsecurityandthestrengthofsecurityiscontextdriven—thatdifferentsituationscallfordifferentsolutions—what'sclearinthis
argumentisthatsecurityisasubsetofquality.Aproductthatisnotappropriately
secureisinferiortocompetingproducts.Somewouldarguethatsecurityisa
subsetofreliabilityalso;however,thatdependsonwhattheusermeansby
security.Forexample,asolutionthatprotectssecretdataneednotnecessarilybe
reliable.Ifthesystemcrashesbutdoessoinamannerthatdoesnotrevealthe
data,itcanstillbedeemedsecure.AsFigure1-1shows,ifyoucareabout
qualityorreliability,youcareaboutsecurity.
Figure1-1.Securesoftwareisasubsetofqualitysoftwareandreliablesoftware.
WhyWouldYouProtectaMultiplayerGamefromAttack?
Itmightnotseemobvious,butmultiplayergamesarealsosusceptibleto
attack.Imagineyouhavewrittenandpublishedamultiplayerstrategy
game,suchasMicrosoftAgeofEmpiresII.Someonediscoversa
vulnerabilityinthegamethatallowsthemto“kill”otherplayersby
sendingabaddatapackettotheotherplayer'scomputer.Sowhena
playerislosingaheatedconflictwithanotherplayer,thefirstplayer
simplysendsthe“packetofdeath”totheothercomputerandkillshisor
heropponent.That'shardlysportsmanlikebutnonethelesslikely,soyou
shouldprotectyourusersfromthiskindofmaliciousbehavior.
TheMedia(andYourCompetition)LeaponSecurityIssues
Likeitornot,thepresslovestomakeheadlinesoutofsecurityproblems.And
sometimesmembersofthepressdon'tknowwhatthey'retalkingaboutand
mischaracterizeorexaggerateissues.Whyletthefactsgetinthewayofagood
story?Becausepeopleoftenbelievewhattheyreadandhear,ifyourproductis
intheheadlinesbecauseofasecurityissue,seriousornot,youcanbetthatyour
salesandmarketingpeoplewillhearabouttheproblemandwillhaveto
determineawaytoexplaintheissue.Theoldadagethat“anynewsisgood
news”simplydoesnotholdtrueforsecurityincidents.Suchpublicitycanlead
peopletostartlookingforsolutionsfromyourcompetitorsbecausetheyoffer
seeminglymoresecureproductsthanyoudo.
PeopleShyAwayfromProductsThatDon'tWorkAsAdvertised
Oncenewsgetsaroundthatyourproductdoesn'tworkappropriatelybecauseit's
insecure,somepeoplewillbegintoshyawayfromyourproductorcompany.
Worseyet,peoplewhohaveagrudgeagainstyourproductmightfanthefireby
amassingbadsecuritypublicitytoprovetoothersthatusingyourproductis
dangerous.Theywillneverkeeptrackofthegoodnews,onlythebadnews.It's
anunfortunatehumantrait,butpeopletendtokeeptrackofinformationthat
complieswiththeirbiasesandagendas.Again,ifyoudonottakesecurity
seriously,thetimewillcomewhenpeoplewillstartlookingtoyourcompetition
forproducts.
Don'tBeaVictim
Thereisamisguidedbeliefinthemarketthatpeoplewhocanbreakintosystems
arealsothepeoplewhocansecurethem.Hence,therearealotofwould-be
consultantswhobelievethattheyneedsometrophiesmountedontheirwallfor
peopletotakethemseriously.Youdon'twantyourproducttobeaheadon
someone'swall!
SecurityVulnerabilitiesAreExpensivetoFix
Likeallengineeringchanges,securityfixesareexpensivetomakelateinthe
developmentprocess.It'shardtodetermineadollarcostforafixbecausethere
aremanyintangibles,butthepriceofmakingoneincludesthefollowing:
Thecostofthefixcoordination.Someonehastocreateaplantogetthe
fixcompleted.
Thecostofdevelopersfindingthevulnerablecode.
Thecostofdevelopersfixingthecode.
Thecostoftesterstestingthefix.
Thecostoftestingthesetupofthefix.
Thecostofcreatingandtestinginternationalversions.
Thecostofdigitallysigningthefixifyousupportsignedcode,suchas
Authenticode.
ThecosttopostthefixtoyourWebsite.
Thecostofwritingthesupportingdocumentation.
Thecostofhandlingbadpublicrelations.
BandwidthanddownloadcostsifyoupayanISPtohostfixesforyou.
Thecostoflostproductivity.Chancesaregoodthateveryoneinvolved
inthisprocessshouldbeworkingonnewcodeinstead.Workingonthe
fixistimelost.
Thecosttoyourcustomerstoapplythefix.Theymightneedtorunthe
fixonanonproductionservertoverifythatitworksasplanned.Once
again,thepeopletestingandapplyingthefixwouldnormallybe
workingonsomethingproductive!
Finally,thepotentialcostoflostrevenue,fromlikelyclientsdecidingto
eitherpostponeorstopusingyourproduct.
Asyoucansee,thepotentialcostofmakingonesecurityfixcouldeasilybein
thetens,ifnothundreds,ofthousandsofdollars.Ifonlyyouhadhadsecurityin
mindwhenyoudesignedandbuilttheproductinthefirstplace!
NOTEWhileitisdifficulttodeterminetheexactcostofissuinga
securityfix,theMicrosoftSecurityResponseCenterbelievesasecurity
bugthatrequiresasecuritybulletincostsintheneighborhoodof
$100,000.
AnothersourceofgoodreasonstomakesecurityapriorityistheDepartmentof
Justice'sComputerCrimeandIntellectualPropertySection(CCIPS)Websiteat
.Thissuperbsitesummarizesanumberofprosecuted
computercrimecases,outliningsomeofthecostsnecessitatedanddamages
inflictedbythecriminalorcriminals.Takealook,andthenshowittotheCEO.
Heorsheshouldrealizereadilythatattackshappenoftenandthattheyare
expensive.
Nowlet'sturnourattentiontosomethingalittlemoreoff-the-wall:using
subversiontogetthemessageacrosstomanagementthatitneedstotake
securityseriously.