Every Day is makeITsecure day

You may have heard last week about makeITsecure day, an initiative that united the Irish government with a number of organizations, including Microsoft.  As part of the campaign, we were out – on the streets, in the schools, and at a number of high-profile events – discussing issues like phishing, spyware, identity theft, child safety online, and other risks.  Our mutual goals included raising awareness, offering useful tips, and giving people in the broader community a chance to ask the tough security questions they’ve always wanted to ask.

For those of us in the development community, we know that every day is makeITsecure day. We see security as part of process, not something bolted on, and certainly not something we can forget without dire consequences.  We need to understand the issues at play on a much deeper level, plan ahead, and be vigilant. 

These days, we have the good fortune of having exceptional tools to help us design and implement more secure systems.  In Visual Studio Team System demos, I particularly like to focus on how the Team Architect system diagrams allow an architect to check for best practices and identify potential threats before a line of code is written, and long before anything is deployed into the data center.  As another example, the static code analysis of Team Developer helps catch common gotchas at compile time – problems which may otherwise lead to vulnerabilities like a buffer overrun, or a SQL Injection Attack.

I’m currently reading about security implementations in the Windows Communications Framework.  I was pleasantly surprised to see how you can integrate the ASP.NET 2.0 provider models into WCF authentication!  

But I’m sure you all have your own personal focus for security interests.  It’s worth taking a look at the subsection of the MSDN site that’s devoted to security: http://msdn.microsoft.com/security/   And here is an MSDN site devoted to security issues of particular interest to Irish developers: http://www.microsoft.com/ireland/security/

Comments (4)

  1. danger says:

    Why didn’t makeITsecure.ie suggest other more secure browsers like Firefox etc? – It completely ignored the most simple thing people can do to increase net security – stop using the most widely targeted browser for spyware, malware etc. The IT departments of all the companies listed as sponsors of the page know this as a fact, yet failed to inform the public of it.

  2. Paschal says:

    Yeah yeah we heard that so many times Firefox is more secure, IE not. Sorry danger (whoever really you are) Firefox is no more secure than IE, if you look at the number of patches you got now 🙂

  3. I would agree with Paschal – the latest IE is certainly competitive with FireFox on the security issue.

    A couple of years ago IE was a security disaster, but because it was subjected to so many attacks, it is now significantly improved. FireFox and its predecessors have not had many attacks until recently, and hence the FireFox developers have had to be busy on the security front, but they seem to have sorted out any problems that were discovered.

    I would rate a full patched IE and a full patched FireFox as equal on the security question – the important point for users is to ensure they keep whichever browser they use fully patched (e.g. WinXP SP2 *AND* automatic updates turned on).

  4. RobBurke says:

    Thanks everyone for the comments. I’d agree with Eamon that IE security has come a very long way. And, although I’d rather this wasn’t an us-versus-them discussion, it’s worth noting that other browsers like Firefox are far from immune to security vulnerabilities: http://www.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=Firefox&x=29&y=9

    Security is a process. A thorough security process should involve all of the following:

    – a consistent methodology for identifying serious issues and communicating about them to customers

    – a track record of producing high-quality, timely fixes for security issues

    – a good desktop management/update toolset to make sure those fixes make it onto the machines you own

    – a roadmap for how security, reliability and manageability will continue to improve over time

    I’d expect Microsoft and IE to do very well in any honest evaluation of these 4 points.

    Regarding the future roadmap, the innovations in IE 7 and Vista are particularly noteworthy.

    Rob Franco did a great presentation at PDC05 this year that discussed threat modeling in IE7 and what they did to make it more secure. You can see the session online:


    You can also find security information through searching: