Skip navigation
All Places > PI Developers Club > Blog > 2010 > June

If you checked your email inbox lately, you probably saw this announcement about the registration for OSIsoft vCampus Live! 2010 being open...  Well, what you are waiting for? Hurry up and register soon to save money (Early Bird registration ends July 21st!)


More details coming soon on this blog (RSS Feed) and on the vCampus Live! 2010 twitter account.
All the details at see you in person in September!


(interested in presenting something at the event? submit your paper in this discussion thread)



Most of us have probably taken chances with street vendors or the occasional "B" grade dining establishment. But let's face it, if your favorite restaurant failed to get an "A" rating you would take notice.


Similarly the rating paradigm for secure software is gaining momentum as more and more buyers are demanding independent assessment of software security. Veracode provides such services, here is their rating scheme:




In this case, the lowest bar is pretty low, simply recommending a passing scan using static analysis tools. You might even expect that most .NET applications would be a shoe in because code analysis is already built in (provided you are running code analysis and not suppressing messages without real investigation). Regardless, a clean scan is unlikely unless the developer has tools on par with those used by security assessment firms. 


Here are the code analysis categories checked when using .NET FxCop:

  • Design Warnings
  • Globalization Warnings
  • Interoperability Warnings
  • Naming Warnings
  • Performance Warnings
  • Security Warnings
  • Usage Warnings

The message here isn't to promote Veracode, there are many security assessment firms to choose from. But I will comment that the logistical model seems workable. Source code need not be provided for binary analysis. You just upload the executable (it is a bit interesting their analysis tool is reported to work best with debug builds). Regardless, when the buyer picks up the tab, ISVs have little control over who performs the ‘independent' assessment.


Of course, secure software ratings are too simplistic to be any more effective than restaurant grades are at ensuring a healthy meal. The real message is that assessments are becoming routine and a competitive business. There are plenty of market forces generating demand for security assurance.


A clean static analysis scan is good but only one element of a security program. While not the most important element it does appear to be one that can be easily implemented. I encourage all of you to take advantage of code analysis tools. Looking forward, industrial cyber security compliance initiatives such as ISA Secure and WIB involve a far more rigorous audit delving into your security development lifecycle.



Considered by many as the first holiday of summer, Memorial Day ushers in an unofficial season of starts. "Gentlemen, start your engines!" is a quote made famous at the Indianapolis 500 and is fitting of the season.


The season is full of ceremony and commencement speeches that often mark the start of new careers. I still recall my engineering professor exclaiming our job is to get you revved up for industry (he probably wrote his speech during the race).  


That was a long time ago but so true. The new faces we welcome at OSIsoft are indeed eager to make a difference. A fellow PI gray beard remarked in wonderment about all the skill specialties. In the early days, engineers had to do it all. A break out box, data scope and ascii tables were needed for any hope of debugging an interface. We would use a drill to install 10base5 thicknet taps. The joke was that real engineers program in Fortran no matter what compiler was available!


Like most professions, body of knowledge and experience has dramatically expanded. Specialization is in essence a practical necessity in the technology world. Good engineers must still be solidly grounded in fundamentals such as security.


But here's the catch 22, security used to be a specialty.  How do we ensure everyone understands their role in security? Well, the Microsoft SDL Developer Starter Kit has an app for that. 


The starter kit is level 100 with no prerequisites and is must know material for any professional developer. The kit is organized by specialty and provides content in many formats. You can read word documents or maybe you want to ‘cut to the chase' by clicking through a Powerpoint presentation. Perhaps multimedia is more your style. If you want to prove mastery of the basics, some modules even have a test quiz. It's all available on the download site.


Specialty topics include:

  • Banned APIs
  • Buffer Overflows
  • Code Analysis
  • Compiler Defenses
  • Cross-Site Scripting
  • Fuzz Testing
  • Secure Design Principles
  • Secure Implementation Principles
  • Secure Verification Principles
  • Security Code Review
  • Source Code Annotation Language
  • SQL Injection
  • Threat Modeling Principles
  • Threat Modeling Tool Principles

I often get the question: "What's the most important thing we should be doing for security"?  Like so many things the answer depends where you are in a product lifecycle. Absent the pressure of impending doom or incident response, addressing security as early as possible is the favored approach.


To do so effectively, engineers must know what is expected to practice security as part of their profession. A software architect will have different needs than a QA engineer. Implementation and security tools vary depending on the type of project. Threat modeling doesn't actually improve security until the threats are mitigated but as a standard method the model is essential in prioritizing security tasks.


In other words education is the key. Is level 100 SDL training adequate to build applications serving critical infrastructure? No, it's just a good start. Product managers, security development leads, and other gray beards carry the essential burden in building a trustworthy product.  So gentlemen: Start your engines!

Filter Blog

By date: By tag: